Russian Hacker Theft Shows Continued Need for Strong Authentication


As has been reported by Dark Reading, The New York Times, The Wall Street Journal, among others, a Russian crime group has reportedly collected more than 1.2 billion usernames and passwords.

First identified by Hold Security, the stolen data cache contained 4.5 billion total records, of which held the 1.2 billion unique credentials. The ramifications and seriousness of the data loss is unknown, which does tend to fuel concern and skepticism.

What is known, however, is that simple passwords are highly vulnerable and should never be the sole security mechanism that protects sensitive identities or information. All users are strongly encouraged to use strong, unique passwords for every high-value site and complement that with some means of strong authentication.

“At this stage of the game, using passwords for security is simply table stakes,” Entrust senior vice president David Rockvam told Dark Reading. “In order to truly protect our personal and financial information, second-factor authentication is a necessity.”

According to Help Security, the strategic, long-term attack leveraged botnets to take advantage of SQL vulnerabilities.

“These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone,” Help Security wrote in their findings.

Noted security researcher Brian Krebs fielded so many questions after the news that he posted a detailed Q&A session on his popular security blog, Krebs On Security.

“My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials,” said Krebs.

The informative session explained some of the known details about the Russian data theft, what they may do with the information, and if users should be concerned.

On Aug. 5, Forbes staff writer Kashmir Hill reported that Hold Security announced a new service that would notify an organization of a breach, but also would let a paying organization know if they were a victim of the larger Russian data theft. In the Forbes story, Hill questioned the link between the announcement and the new service.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.


Add to the Conversation