This appeared a few days ago.
TIMES INVESTIGATION
‘It’s the mother lode’: inside the black market for stolen records
A vast hacked database available online for just £2 has been linked to Russia
Louis Goddard, Times Data Team
June 23 2017, 12:01am, The Times
“800 million cracked email and password combinations from tons of hacks,” wrote one user of a shady online hacking forum in October last year. “It’s the mother lode.” On offer was a huge database of stolen credentials for sale for the equivalent of about £2.
The price was low because the database had been circulating for months. It had apparently been lifted from an invitation-only Russian forum dedicated to cybercrime, where through private message boards it may have changed hands for considerably more.
The Times analysed a freely available copy of the database as well as a second, smaller, list. It found passwords belonging to cabinet ministers, ambassadors and senior police officers. They came from hacks of dozens of social media sites, including Linkedin, MySpace and the Russian social network VKontakte.
Combined, they formed a master hacking database of more than one billion records. Such “combo” lists are powerful tools in a hacker’s arsenal, security experts warned. The stolen data could be used to perpetrate so-called credential stuffing attacks.
Hackers would take a user’s leaked password and email address and use it to attempt to log in to hundreds of other sites, exploiting people’s tendency to re-use passwords. If they gain access to a personal email account, hackers can use it to compromise other accounts by triggering password reset emails, as well as accessing personal and financial information.
By combining data from dozens of attacks, savvy hackers can build up highly detailed profiles of their targets. One employee at the British embassy in Manila, whose email address appeared in the combo lists, also showed up in material hacked from the Philippines Commission of Elections, which included passport numbers and biometric fingerprint data.
The material also raises an added concern: a link to Russia. The larger of the two lists appears to have originated on a Russian-language hacking forum with about 38,000 registered members. Membership is a valuable commodity: registration costs $100 for those who do not speak the language, while Russian-speakers need to know a user or have impressive profiles on other forums.
Although there is no evidence to indicate the involvement of Russian state officials, the country has long been suspected of state-sponsored — or at least state-tolerated — hacking. President Putin appeared to praise hackers this month when he said that if they were “feeling patriotic they will start contributing . . . to the justified fight against those speaking ill of Russia”.
--- Lots omitted ---
HOW TO PROTECT YOURSELF
Check if your details have been leaked
Head to haveibeenpwned.com and enter your email address (“pwned” is slang for compromised). This free service, run by a computer security researcher, will tell you if some of your passwords are out in the open.
Head to haveibeenpwned.com and enter your email address (“pwned” is slang for compromised). This free service, run by a computer security researcher, will tell you if some of your passwords are out in the open.
Change your passwords
Although some of the hacks took place years ago, many passwords were in a scrambled form that hackers have only recently decoded.
Although some of the hacks took place years ago, many passwords were in a scrambled form that hackers have only recently decoded.
Use different passwords
A password manager makes it easy by generating random passwords for you and storing them securely. Lastpass and Keepassx are good free options.
A password manager makes it easy by generating random passwords for you and storing them securely. Lastpass and Keepassx are good free options.
Check the web address before entering details
All reputable websites will offer a secure connection, denoted by a padlock and “https://” in the address bar, but fraudsters can set up secure websites too. It’s essential to check that the address is correct.
All reputable websites will offer a secure connection, denoted by a padlock and “https://” in the address bar, but fraudsters can set up secure websites too. It’s essential to check that the address is correct.
Don’t click email links
Emails from your bank and shopping sites can easily be faked and fraudsters are getting much better at it. They’ll trick you into clicking a link that looks like the real thing and steal your password. Instead, head to the real login page by typing the address into your web browser.
Emails from your bank and shopping sites can easily be faked and fraudsters are getting much better at it. They’ll trick you into clicking a link that looks like the real thing and steal your password. Instead, head to the real login page by typing the address into your web browser.
Keep your computer and anti-virus software up to date
Criminals can take over your computer so install updates as soon as they’re available.
Criminals can take over your computer so install updates as soon as they’re available.
Only install software from sources you trust
Free software may contain malicious code. Be judicious about where you get it from.
Free software may contain malicious code. Be judicious about where you get it from.
Wipe your old computer before you throw it away
Hard drives of discarded machines may have data that can be sold on. BleachBit is a free program that deletes your data thoroughly.
Hard drives of discarded machines may have data that can be sold on. BleachBit is a free program that deletes your data thoroughly.
Here is the link:
A very worrying article indeed with some good tips to help avoid trouble.
David.
No comments:
Post a Comment