Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.
Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.
They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.
Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache. This amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.
SQL injection attacks are one of the most common ways of compromising web-facing systems.
Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.
Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.
Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.
A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don’t.
Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example.
Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.
There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.
Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.
That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:
This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.
The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.
Fortunately SQL injection attacks are easily defeated by simple coding practices.
If you run a website, we recommend that you:
Perform an application scan or full application penetration test
by John Hawes on August 6, 2014