First identified by Hold Security, the stolen data cache contained 4.5 billion total records, of which held the 1.2 billion unique credentials. The ramifications and seriousness of the data loss is unknown, which does tend to fuel concern and skepticism.
What is known, however, is that simple passwords are highly vulnerable and should never be the sole security mechanism that protects sensitive identities or information. All users are strongly encouraged to use strong, unique passwords for every high-value site and complement that with some means of strong authentication.
“At this stage of the game, using passwords for security is simply table stakes,” Entrust senior vice president David Rockvam told Dark Reading. “In order to truly protect our personal and financial information, second-factor authentication is a necessity.”
According to Help Security, the strategic, long-term attack leveraged botnets to take advantage of SQL vulnerabilities.
“These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone,” Help Security wrote in their findings.
Noted security researcher Brian Krebs fielded so many questions after the news that he posted a detailed Q&A session on his popular security blog, Krebs On Security.
“My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials,” said Krebs.
The informative session explained some of the known details about the Russian data theft, what they may do with the information, and if users should be concerned.
On Aug. 5, Forbes staff writer Kashmir Hill reported that Hold Security announced a new service that would notify an organization of a breach, but also would let a paying organization know if they were a victim of the larger Russian data theft. In the Forbes story, Hill questioned the link between the announcement and the new service.