Is the CyberVor Breach Real?

Obscure security firm reported the unprecedented mass password theft, but without all the details, security experts still have questions.

by Colin Wood / August 13, 2014

On Aug. 5, a security firm called Hold Security announced findings that a Russian outfit had stolen 4.5 billion login credentials from 420,000 websites. The size and vagueness of the claim, combined with the fact that Hold Security coupled its announcement with a sales pitch for its services, caused analysts to question whether the claim was legitimate. An independent security expert hired by The New York Times confirmed the claim was authentic, but information is still limited to what Hold Security shared in its initial report, and skepticism lingers.

Hold Security is not a well-known firm, many analysts had not heard of its founder, Alex Holden. What’s more, one security blogger claims the company didn’t even have a Web presence until the announcement was made. A stock image of several people dressed as business executives on the company’s “About” page does not instill confidence.

Hold Security said its discovery was made over seven months of researching a “cyber gang” the company dubbed “CyberVor.” The credentials were stolen using botnets, networks of automated tools, that scanned for SQL injection vulnerabilities. The credentials came from small businesses, Fortune 500 companies and websites. Of the 4.5 billion credentials, 1.2 billion are unique. The most critical pieces of information, like exactly which websites were compromised, has not been reported.

The thing everyone wants to know right now is if this is legitimate, said Mark Bower, vice president at Voltage Security. “It’s been a bit of a surprise that the organization that reported this also appears to be trying to build a business around it,” Bower said. “So, there’s definitely a lot of eyebrows getting raised, especially as in the industry it’s always best practice to share this kind of information to nip the risk and the consequences in the bud, where possible.”

Hold Security did not respond to emailed questions from Government Technology, but on Aug. 12, the company responded to some of the common criticisms floating around by updating the FAQ on its website. Companies can sign up with Hold Security for a free 30-day subscription that lets them access an online tool to see if they were part of the breach. Some news outlets initially reported that Hold Security was charging $120 for the service, but the revised FAQ explains that the ongoing service is simply being offered to those looking to prevent future breaches.

The alleged breaches of Fortune 500 companies might not be as bad as they sound, Bower said. “It doesn’t necessarily mean that those are Fortune 500 companies that had their entire customer databases [compromised],” he said. ”It may be that there were small parts of a larger enterprise that might have been compromised. Notwithstanding, it’s a very, very large number of credentials if this turns out to be indeed bona fide, overall.”

If legitimate, the takeaway from this widespread attack is threefold, Bower said. “For organizations themselves that are handling consumer data, they have to really rethink and look at their data security practices to see if there are ways in which they can improve,” he said. “Certainly to avoid these breaches becoming significant, it’s looking at ways to neutralize the breach, should it happen, and there are technologies out there that can do that today.”

The other two lessons are for consumers, Bower said. “What’s going to happen first with this is we’re going to see another round of malicious spam, which is always an attempt to gain access to systems, that then leak even more data. So consumers need to be aware of emails that may be suspicious, and delete them if they see them,” he said. The final lesson, Bower said, is that people need to be more vigilant in general, and only enter personal information into trusted websites, and only when absolutely necessary.

Having a password stolen from a small website that holds little personally identifying information may not sound like a big deal, but the threat is when people use the same password for multiple websites, said Michael Sutton, vice president of security research at Zscaler. “This really shows the weakness in password-based authentication because your password is only as strong as the weakest site you have ever used that on,” he said. “It would be virtually impossible for the average person to go and change all their passwords. They wouldn’t even know where to begin, so that’s really the impact.”

Sutton and others recommend using a password manager, which lets consumers use complex, unique passwords for every website they visit. Two-factor authentication is a security improvement for businesses, experts say, but it isn’t viable solution for many websites and doesn’t completely solve the problem, anyway.

Other analysts have suggested that the latest breach doesn’t even matter. One writer for Mashable reported that her own credit card information has been stolen four times in three years, but that it hasn’t impacted her life very much. “Rather than hoping my information won't be hacked, I go about my business with the expectation that it will. That's not to say that someone breaking into one of my main email accounts or my bank wouldn't still be devastating,” Christina Warren wrote. “But I do what I can …”

With each large breach, legitimate or not, questions about security’s paradigms are brought into question. ‘Why do we still have passwords?’ is not an uncommon question in 2014. Talk of requiring biometric data for online authentication, or even creating a kind of driver’s license for the Internet are  ideas that pop up at times like these.

The important thing to remember, Bower said, is that anyone, no matter how small can be attacked. “Organizations especially ask the question, ‘Why me? Why would attackers go after my business? Because I’m not significant, or I work with a very small niche market,’” Bower said.

Although some attacks are specifically targeted -- and have resulted in major breaches -- a growing number of incidents are triggered by constant, random probing for weakness. “The point is that today, when attackers are going after systems, they can use automated botnets and tools to essentially scan for vulnerabilities and then just compromise the systems arbitrarily, looking for sensitive information, almost like a drive-by," Bower explained. "Every organization collecting any type of sensitive information needs to really revisit their data security strategy and think twice about how they’re protecting and managing sensitive assets and how they’re managing their infrastructure, because otherwise they will simply be breached at some point in time because of the nature of the way the attacks take place.”