Wednesday, February 26, 2014

Major Cyber Security Data Breach: Change Your Online Bank Account and Email Passwords Immediately

This looks like a big one. Reuters reports:

A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

"The sheer volume is overwhelming," said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.

He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.


  1. Yikes. Good lookin' out Bob.

  2. These hackers are most likely exploiting the back doors the gov't makes everyone put into their data warehouses. It's long been a :tfh: conspiracy whack job view that the gov't is getting real time connections to EVERY transaction out there. I think Snowden has shown this to be the case. If the gov't can get into everything at anytime and knowing how inept they are it's pretty simple to extrapolate that it would be possible for someone with the skills to expolit these same connections.

    I would wager that it's way worse than even this article points out.

  3. While I appreciate Wenzel posting this information to warn us, I do not know who Alex Holden of Hold Security is? I am not familiar with him and as has been pointed out to me by others, the info above is very vague. Is this another fear tactics to get us to all change our accounts, passwords, etc to fit into new accounts with new rules, or even just to identify classes of people such as....
    Folks easily frightened ...
    Folks who are reading certain publications...
    If you reread the article it is mostly full of vague threats.

    To me it looks more like manipulating us into opening a new account with new rules that are more favorable to the bank or to the government than to us. Or giving them more opportunities to mix up or lose our account numbers, balances etc. Or issuing a new card that has an identifiable chip in it, or automatically distributes fees to a third party. Who knows. I don't think we can trust anyone to function in our interest.

  4. I think it would be an interesting concept to explore that .gov has the NSA as the man-in-the-midde, and would create a false-flag event in order to justify its existence given the Snowden data. I'm waiting to see what bubbles up. Popcorn anyone?

  5. More great news ! !