The hackers, a presumed small, tight-knit group of south central Russian 20-somethings, targeted sites worldwide, ranging from Fortune 500 companies to smaller websites. The criminals collected 4.5 billion records; after duplicates were filtered out, however, they wound up with 1.2 billion unique usernames and passwords.
Milwaukee-based security firm Hold Security discovered the breach, which was later confirmed by an independent security expert on behalf of the New York Times. Hold Security has not revealed the victims of the hack due to existing nondisclosure agreements, but Alex Holden, the company’s founder and chief information officer, says the data came from approximately 420,000 different websites, many of which are still vulnerable.
The Russian gang managed to compromise so many sites so efficiently using botnets, networks of virus-infected zombie computers that scan other websites for vulnerabilities.
“Botnets are extremely dangerous because they allow hackers to infect thousands and thousands of computers with software that can allow for remote access,” writes Lisa Eadicicco for Business Insider.
Once hackers acquire remote access, they can use a computer to do their bidding; entering passwords to log into websites, spamming other users, spreading the virus to infect other computers, etc.
Todd Morris, CEO of BrickHouse Security, says varying passwords could serve as a bulwark against the spreading of botnets.
“So many people use the same password over and over again for different websites,” he told Business Insider. “If people were using more unique passwords, it would be a more limited threat.”
This most recent hack comes on the heels of two other substantial hacks. Last year, Target revealed a breach that compromised nearly 40 million credit card numbers and even more pieces of personal information, and Adobe Systems copped to tens of millions of their records being stolen. These breaches are not only costly and inconvenient to consumers, but they can be costly to companies as well; the average cost of dealing with a hack on this level is $3.5 million per breach, according to the New York Times.
The Russian hack is epic in scale, and it’s certainly not going to be the only breach we read about in the coming months and years, experts warn.
“The ability to attack is certainly outpacing the ability to defend,” Lillian Ablon, a security researcher at the RAND Corporation, told the Times.