Russian Hackers Amass One Billion Stolen Passwords — Make Sure Yours Aren’t Next

Many Americans are worried about information security and the safety of their online data. For good reason, too. Recent reports indicate a Russian crime ring has stockpiled the largest known collection of stolen credentials — 1.2 billion username and password combinations and 542 million unique email addresses.

That tally was compiled by Milwaukee’s Hold Security, which discovered confidential data were compromised from 420,000 different websites, both large and small. Hold Security refused to cite the affected companies and sites, eliciting questions about the viability of the data, particularly after Hold started charging $120 for administrators to see if their sites were compromised. But many experts who examined the raw data said that the accumulation of credentials looked real — and that large corporations were included on that list, many of which knew their records had been stolen.

“Hackers did not just target U.S. companies,” Alex Holden, founder and chief information security officer for Hold Security, told The New York Times. “They targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”

This only adds to the avalanche of recent news detailing the dismal state of data security: Target’s loss of 40 million credit card numbers and 70 million addresses and phone numbers, which the company recently projected would cost them $148 million; a Vietnamese identity theft service obtaining 200 million records (including Social Security numbers!) from Court Ventures, a company owned by data brokerage and credit report firm Experian; and other serious bugs like the CryptoLocker virus and Internet Explorer flaw.

Details of the Hold Security report indicate that none of the stolen records have been sold on the online black market; instead, they’re being used to hack email and social media accounts and send spam. But the revelation about the Russian hackers may lead to major changes in identity protection, which global technology research firm Gartner said represents the Internet’s next big challenge.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

So how can you protect your online security and keep your personal information out of the hands of hackers? These five steps aren’t 100 percent foolproof, but they will get you off on the right foot.

1) Change your passwords! If you use the same password for multiple websites and services (admit it, most of us do), you’re just the user that hackers love to target. Creating strong and unique passwords at least eight characters long that mix upper- and lower-case numbers, letters, and symbols — think “P@ssw0rd#33” instead of “password33” — are a necessity for online security.

2) Always take advantage of two-factor authentication. Facebook, Twitter, Yahoo, Google, and many other major services are shifting more and more to this method, which requires a standard password and a unique passcode sent to your mobile device. It takes 30 extra seconds, but it’s definitely worth the effort.

3) Ensure that anti-virus software and security patches are up to date. This task is probably best left to your IT professional. Don’t have one? That’s where CMIT Solutions comes in. Our proactive maintenance and monitoring services include built-in anti-virus software that can often block malicious viruses before they infect your machine.

4) Employ a password management tool like LastPass and Dashlane. Both of these services rely on two-factor authentication; encrypt password data at storage and transfer points; auto-fill forms; and generate strong, randomized passwords. Want an “easy” button for password management? These tools provide it, offering particularly beneficial services for businesses subject to industry regulations like HIPAA, FINRA, and PCI.

5) Regularly check email, banking, and social media accounts to make sure they haven’t been hacked. In response to the one billion passwords stolen frenzy, many major services will probably prompt users to reset their passwords and use two-factor authentication. But since the affected sites haven’t been publicly announced, many won’t rush to notify you — especially if their sites are still vulnerable. If you’ve received a password change request or random verification code recently, check all of your protected accounts to make sure they haven’t also been hacked — and then CHANGE YOUR PASSWORDS!

Concerned about keeping your personal information and business data safe? Worried that password security is a losing battle — and that it represents only one small slice of your technological health? Call or email CMIT Solutions today. We take your online security seriously! 

For additional information, please contact: Rick Megni, CMIT Solutions of Northern Chester County; 484.944.0019;;