360 million login credentials found for sale

The sale of login credentials on the black market has become a big business. Cybersecurity firm Hold Security made a splash last week when it announced it had uncovered nearly 360 million stolen credentials up for sale, as well as over 1 billion email addresses.

According to Hold Security, in the first three weeks of February alone, the company identified nearly 360 million stolen and abused credentials - including unencrypted usernames and passwords - for sale on the deep web. The company also identified 1.25 billion records with email addresses only, including addresses from popular webmail providers and nearly all major US companies.

The records are believed to have been stolen in separate attacks, in data breaches that have not yet been publicly reported and that the victims may not yet even be aware of.

But Hold Security Chief Information Security Officer Alex Holden told Reuters that there is evidence to suggest that 105 million records were stolen in a single attack, which would make it the largest known single breach of personal records to date.

Holden separately told PC World that Hold Security is still trying to ascertain which companies had been breached. But he speculated that likely victims include online dating or job hunting sites, as these companies are likely to have large numbers of users and are not generally known for their robust security.

Experts argue that stolen credentials are potentially far more damaging than mere stolen credit card details. Hackers could conceivably use the information to access a user's bank account, and any money stolen in this way may not be recoverable the way fraudulent credit card transactions are.

Australian Information Security Association (AISA) spokesperson and Cisco cybersecurity lead Lani Refiti said the abuse of personal information can certainly be a more profitable business.

"Personal identifiable information is potentially more lucrative for cybercriminals because there is potentially more you can do with it than just a simple credit card number. You can apply for loans, credit cards, use the credentials to try and breach organisations that the users are connected to or for spam purposes," Refiti said.

The information on the stolen credentials is coming from a trusted source, Refiti said, noting that Holden helped uncover the major Adobe Systems data breach in late 2013. This incident involved the theft of 153 million stolen credentials of Adobe customers over multiple breaches.

Due to the all-too-common practice of sharing usernames and passwords across sites, the host of login credentials represent a "complete treasure trove for cybercriminals", online security consultant Graham Cluley told the BBC.

Cluley added that enterprising cybercriminals could potentially use the information to find out what the most common passwords are among the 360 million records, which could help them more efficiently crack into entirely unrelated accounts.

The email address records - which would be valuable to spammers - meanwhile originate from major providers including Google, Microsoft and Yahoo. Hold Security said it had also found addresses belonging to nearly every company on the Fortune 500 list of the top US companies by gross revenue.

The grain of salt with this story is that Hold Security announced the details of the stolen records to promote the launch of its Credentials Integrity Services, which allow enterprises, ISPs and SMBs to sign up to be notified when Hold detects that their users' credentials have been breached.

Image courtesy of Robbert van der Steeg under CC