Yep, this is all a show for Black Hat, and with many more interesting topics to discuss, it's sad that this bullshit caught the attention of the media as the lead story. At RSA 2014, the lead topic was the role of government, its link with industry, and the ethics of omnipresent spying. All I've heard from BH as an outsider to that conference is "Well, there have been a lot of compromises over the years, and some Russian group gathered them all up to make it a big number."
A tl;dr for the article's tl;dr: This is not a big thing; the list is largely outdated; there's no new breach; if it were a big deal, than more than just some salesman at BH would be screaming about it.
Cross-posting this from another site I posted this on:
I am glad to see that someone has said what I had suspected. I made a quip [1] about the ethics of charging for information regarding whether or not you're affected by a breach--full disclosure, I run a free service that lets you search for data that may or may not have been leaked called Canary [2]. The only thing I care to charge for is if you're a business and want to link this into your SIEM or whatever, I want you to pay up--otherwise feel free to search manually.
1.2 billion compromised credentials is a lot. In fact, it's so much that I found it hard to believe. Adobe's breach was no more than 150 million user accounts, and if you take a look at various sources [3], you'll be able to infer that the number of affected users overall is anywhere between 250 and 400 million depending on where or who you look at (Wikipedia was quick to cite in this case). Needless to say, I call bullshit on this count unless Hold Security is somehow getting its numbers wrong due to an extremely large amount of duplicates.
To put it all into context, Canary has about 476,000 e-mail addresses stored within its databases with about 350,000 potential passwords stored in a hashed format. This has been collected since mid-last year from over 1.1 million unique samples. It's completely automated so I am not sitting on random TOR websites collecting it myself, it's done without me having to take a look.
If you're interested in helping contribute to the project, I'd love to hear from you. I'd like to see us avoid having to rely on products like Hold Security's because leaked data is data that everyone should be able to know without having to pay a broker an enormous sum.
That's assuming that the leak is from a single source (single business or website).
Is it conceivable that if you aggregate all leaks it would equal the 1.X billion number referenced?
The location of hundreds of thousands of WordPress and similar CMS sites are well known and constantly hit by botnets trying to bruteforce passwords and waiting for site admins to leave a site un-updated, I'm sure they get compromised all the time. I operate several honeypots just for fun and have a list of thousands of sites with malware on them and undoubtedly have had their databases stolen. Then everyone who runs a site (or has sufficient permissions) who is in that hacked database can have their site hacked, and the chain continues. If you delete the malware but fail to fix the security hole, the malware will be back on that site the next day.
Why does your Canary site not include larger leaks like the Adobe leak?
I think sites like yours are very important for protecting people's online security. Data mining is fun and being able to offer a service to help people stay safe online is a win-win.
Canary does not include data from the Adobe leak because I just haven't bothered. I have considered making it available but because there are many other solutions that are better for such a purpose [1], I'd rather just leave it to them and for the future link to them via Canary's site.
In the future I may consider a solution for this but for now it's just not on the priority list. It's a feature I'd like to have but I just don't have a practical way to do it as of yet.
Regarding the count, if you go through all the leaks, it barely gets above 250,000,000. This is based on many statistics from Verizon and other initiatives. My estimate is that it is probably less than double that but it cannot be much higher. It would take a few Twitter, Adobe, or Facebook-sized leaks to get to 1.2 billion because even if you had 50,000 Wordpress sites breached and they on average only have 5 accounts per site, it's barely going to make a dent in that 250,000,000 I floated.
If 1.2 billion accounts are floating about, someone hasn't spoken up and likely we'd have gotten wind of this by now.
Adobe + Target + PlayStation leaks alone total over 300 million credentials.
AOL 2004 = 92 million
AOL 2006 = 20 million
Apple 2012 = 12 million
Blizzard 2012 = 14 million
BNY Mellon 2008 = 12.5 million
Cardsystems Solutions 2005 = 40 million
Evernote 2013 = 50 million
GS Caltex 2008 = 11 million
Heartland 2009 = 130 million
Living Social 2013 = 50 million
RockYou 2009 = 32 million
TMobile 2006 = 17 million
TJ Maxx 2011 = 94 million
US DoD 2009 = 76 million
US Dept of Veteran Affairs 2006 = 26.5 million
Yahoo 2013 = 22 million
Those are only the ones over 10 million before 2014, leaving out some foreign hacks like Auction.co.kr (18 million). (Also UK NHS 8.3 million, LinkedIn 8 million, Ebay, Target, LexisNexis)
I promise you that just over 1 billion is about the number of major company leaks that are publicly available. Yes, lots of duplicates between those leaks, but most contain additional valuable data besides just the credentials.
ATT, BCBS, Citigroup, Facebook, Gap, Gawker, Chase, Medicaid, Monster.com, Network Solutions, Nintendo, Sega, Starbucks, Twitter, Ubisoft, Washington Post, and numerous government and academic organizations all have hundreds of thousands to millions of credentials publicly available.
Things like government-issued identification numbers and whatnot are the most severe, so how many people have been affected by that since 2004? If we break it apart by category we start to see how these breaches have become:
E-mail addresses: 530,991,405
SSN/PII: 327,471,624
Credit card: 335,772,083
Authentication: 430,756,146
Bank records: 4,270,000
For the first line, it's just a list of e-mail addresses. The latter four are the most severe. Out of that list, what is the most useful? I'd wager the SSN/PII, authentication, and bank records; credit cards are only useful for so long really.
This means we're at over 750,000,000 records that may be usable. However, with the authentication portion, we're looking at that being even more useless as time goes on. Accounts from 2004 may not be usable in 2014 either.
So yes. We have had over 1.2 billion records leaked, but really how much of that is at all useful? None of these take duplicates into account however.
Useful to spammers? Half a billion emails is very useful.
Useful to hackers? Hundreds of millions of records.
Useful for fraud? Hundreds of millions of records.
Useful for data-mining and intelligence? All of them.
Many banks don't issue new debit/credit card numbers, they just change the expiration (the 3 digit code is rarely used from my personal experiences). It's easy to brute force the expiration.
SSN numbers and security questions can allow access to many accounts.
Figuring out password hashes (lots of methods) is sometimes easy, sometimes hard.
Bank account numbers rarely change, damage can be done with these.
How many people use their real information online? Most.
How many use secure passwords and change their passwords ever/enough? Few.
The LexisNexis breach alone is a disaster, they're basically data-miners with exclusive access to personal details.
That's a lot to read, but the gist of it seems to be that this guy doesn't care for Brian Krebs. Who is this anonymous writer? Does this person have some sort of credibility other than the four posts on this blog?
For what it's worth, one of the other four posts is a complaint about Ryan Block's customer service call with Comcast.
The gist is NOT that this guy doesn't care for Brian Krebs. The gist is that Brian Krebs, along with Hold Security, worked together to create a panic frenzy among the uneducated[0], business class by publishing stories and doing interviews with major media outlets all to try to sell a 120/year service that is the equivalent of querying Russian forums and ircs for people mentioning your site in credential sales.
It's a total sham and, personally, I've lost a little respect for Krebs.
edit:
[0] By uneducated, I meant only technologically, not anything else. Sorry if anyone was confused.
IDK, it seems like a valid business practice to me - like how stories of virusses running rampant boosts (ineffective) virus scanner sales, or pictures of six-pack abs boosts sales of ab crunching devices.
> Does this person have some sort of credibility other than the four posts on this blog?
Sure do.
The intent here wasn't to bash Krebs so much as bash Krebs using the same perpetual source of a company that he is a consultant for. Krebs is an OK guy -- I'd just like to see him utilize a variety of sources versus a reference loop between him and the groups he advises for.
>For what it's worth, one of the other four posts is a complaint about Ryan Block's customer service call with Comcast.
I saw that too, read it, and immediately got the sense that this guy has a vast superiority complex and he aims it at the latest headline-grabbing internet journalist or blogger so he can get his fifteen minutes as well. Specifically in the Ryan Block article, he acted as if he was having an ongoing conversation/interview with Block, when in fact it was his one-sided commentary on a couple of tweets. Very misleading, and it definitely left me unimpressed.
Besides, if what Block did really was illegal in California (two-party recording is something I've dealt with professionally in the past, Block was covered when both parties mutually consented to being recorded at the beginning of the conversation), why was the legality issue never discussed in the media except by this guy?
It didn't seem like this was anything against Krebs, the author just continued to point out that Krebs did have something of a vested interest in pushing this (Hold Security in general) as legitimate.
I have no idea who the author is, but the content does seem plausible/correct/interesting. I will admit to not really believing the original story myself (a safe statement now that others have more publicly stated the same thing, but honestly I didn't) so there might be some bias in believing this side, but this isn't the only person questioning and some are very credible.
The article is certainly plausible, and very probably correct—but it always seems worth noting when someone completely anonymous writes something like this. This person is quick (though not necessarily incorrect) to call others' motivations into question. But since nobody knows who this guy is, nobody knows his motivations either.
Maybe this person just a concerned observer. But I don't think it's necessarily crazy to wonder if it's another attempt to discredit somebody like Krebs, who has had SWAT teams show up at his door and had heroin mailed to him because of his work.
> but it always seems worth noting when someone completely anonymous writes something like this [...] since nobody knows who this guy is, nobody knows his motivations either.
I'm the author and your point is 100% valid. Not that you needed me to validate it.
> For what it's worth, one of the other four posts is a complaint about Ryan Block's customer service call with Comcast.
It's also a reasonable and well constructed (if unpopular) opinion. Thank you for highlighting it, though I suspect it didn't quite have the effect you were after.
I was fascinated by the amount of people that asked me about this yesterday. People read about it on various websites but I was basically oblivious because none of my normal haunts were reporting it. I guess that means I'm getting my feeds from the right places.
This is the kind of shitshow that occurs when people try to outscoop one another instead of doing actual research. David Christopher Bell on Cracked.com has made a weekly mockery of the Internet chasing stories that turn out to be completely untrue.
> David Christopher Bell on Cracked.com has made a weekly mockery of the Internet chasing stories that turn out to be completely untrue.
Not to be Captain Pedantic, but Mr. Bell seems to write movie stuff. Thinking of a different person, perhaps? I only ask because your comment piqued my interest enough to go look, and all I found was "8 Movie Plots Rendered Completely Implausible Because the Studio Didn't Want to Hire Script Writers That Were Worth a Damn".
Interesting article, and while I never really believed sensationalist headline I don't doubt that there are huge caches (100's of millions) of stolen U/P's being privately stored and exploited. The value of such lists drastically decreases if they become public.
Also while the story and coverage might be bullcrap it's increasing the awareness of security online. After my parents saw the story on the news they phoned me up and I got them set up with LastPass, so now they can finally stop using the same 6 digit [a-z0-9] password everywhere.
Of course this didn't actually happen as it was reported. No where near that many passwords have ever been leaked. And the only thing they were telling us was "scary russian hackers get access to billions of passwords!"
I've found over the years it's easy to tell when a story about security isn't all that true. A story without any actual evidence behind it, that sounds very scary, is almost never true.
Never trust anything you read on the internet unless you there are sufficient independent sources to verify it. In the heady early days of the web we thought it was a liberating experience; todays it's just an amplifier of whatever someone wants you to believe.
I think the notion of "stolen" passwords should be replaced with pirated passwords, unless the attackers really did something different from just gaining access to and copying them.
Semantic arguments about the meaning of stealing are only appropriate in discussions about copying other people's stuff. When it's our stuff getting copied, then it's theft plain and simple.
It's not the fact that the passwords are being copied, it's that someone without access took access.
The closest analogy to media piracy is someone with a password telling it to their friend.
In short, the difference is between 'sharing' and 'taking'. It's not about whose data. It's not hypocritical.
(That said, feel free to disagree with the opinion, but don't accidentally strawman it. Maybe it would be better to use a different word here too, but this sort of thing is much closer to theft because of that lack of consent and breach of privacy.)
So... I suspect there's some trolling going on but the problem with password/creditcards being stolen is that they steal my monies out of my bank or mess up my twitter/facebook/youtube/etc account. Depending on who you are, that could be a real problem.
The piracy issue is about outdated-business models being supported by ridiculous laws with insane consequences.
A tl;dr for the article's tl;dr: This is not a big thing; the list is largely outdated; there's no new breach; if it were a big deal, than more than just some salesman at BH would be screaming about it.