Cybersecurity: 360 Million Stolen Accounts for Sale on Black Market
Maybe the recent high-profile security breach at mega retailer Target, in which personal data from some 40 million credit card accounts and 70 million credentials were stolen by hackers, was just the start of a new era of mega cybercrime.
Maybe the recent high-profile security breach at mega retailer Target, in which personal data from some 40 million credit card accounts and 70 million credentials were stolen by hackers in perhaps the largest such heist in history, was just the start of a new era of mega cybercrime.
A cybersecurity expert seems to think so. Alex Holden, Hold Security chief information security officer, told Reuters that stolen credentials from up to 360 million credentials, including email addresses tied to major providers AOL, Google (GOOG), Microsoft (MSFT) and Yahoo (YHOO), currently are being auctioned off on cyber black markets.
At this point, no one knows exactly where the snatched consumer data originated or what vital information has been compromised. But one thing is certain—stolen credentials, which can contain user names, emails and passwords that could gain crooks entrance to bank accounts, sensitive corporate data, health records and other vital data—can carry even greater risk for consumers than rifled credit cards.
Holden said the cybersecurity firm, which helped uncover a significant data breach at Adobe (ADB) last year of 150 million stolen credentials and another 40 million at Cupid Media, now has new evidence the 360 million records were pilfered in separate attacks, with one involving 105 million records, a haul equal to the multiple intrusions of the Target breach.
In the Adobe case, Hold found source code for the software maker’s flagship products on servers of known hackers responsible for breaches of LexisNexis, Kroll, NW3C and many other sites, according to the security company’s website.
At this point, no one has claimed responsibility for the attacks and no suspects have been identified. In many cases the stolen credentials have escaped public reporting, Holden said, possibly because some of the attacked companies don’t realize their customer records have been compromised. He’s yet to identify the companies whose records have been attacked or to share information with other cybersecurity companies.
"The sheer volume is overwhelming," said Holden, in the Reuters report.
Holden said the difference between this episode of stolen credentials and the one at Adobe is that these user names, emails and passwords aren’t encrypted, making it easier for hackers to use them to steal funds, identities and confidential data from unsuspecting consumers.
Two weeks ago, Target said it will invest $5 million in a multi-year campaign to educate customers about cybersecurity and dangers associated with phishing scams, teaming with three cybersecurity and consumer protection organizations in the effort. The group, which first met in Washington, D.C. in January and then again in mid-February in Minneapolis, includes the National Cyber-Forensics and Training Alliance, National Cyber Security Alliance and the Better Business Bureau.
