Why the Russian “hack” of 1.2 billion passwords is more hype than harm

When a story broke in the New York Times earlier this month that a Russian cyber gang had amassed 1.2 billion unique username and password combinations, the media hype machine went into overdrive.

Many media outlets reported the news as if these passwords had been stolen as part of a single, mega-breach – which would make it the largest data breach ever, dwarfing those of Adobe and Target.

But that’s not what happened.

As Sophos Senior Security Advisor Chester Wisniewski pointed out in an opinion column published at CNN.com, a large portion of the email addresses and passwords among the 1.2 billion were likely from previously disclosed data breaches of websites such as eBay, Adobe and Sony.

That means many of the stolen passwords were “hashed,” so it would take the crooks a long time to crack them. Plus, some of these hashed passwords are quite old and probably useless to criminals.

Unfortunately, we just don’t know where this trove of data comes from because the security firm behind the report, Hold Security, hasn’t fully disclosed its findings.

SophosLabs Principal Virus Researcher Vanja Svajcer noted that Hold Security hasn’t shared its research with the security community – which is quite an “unusual approach.”

“For a long time the security industry has freely shared information on breaches within its own community,” Vanja tells the Sophos Naked Security blog.

Despite Hold Security’s questionable methods, the company’s revelations demonstrate just how bad security is at many websites.

In light of all this, here are some security tips for businesses, website owners, and the public.

For users

  • Just to be safe, you should check your bank and social media accounts for suspicious behavior.
  • It’s good sense to change your passwords frequently.
  • Always use unique passwords for each website.
  • Use two-factor authentication wherever you can.

For website owners

To learn more about how a modern firewall can improve your security posture on multiple levels, listen to the Sophos Techknow podcast Firewalls Demystified.


Want to hear more from Sophos?