Reuters is reporting that, according to Hold Security LLC, over 360 million new accounts have been hacked and their data is now available on the black market. How did this happen, and was your personal data stolen? Here is what we know so far about this developing story...
1. 360 Million Credentials Reported Stolen by Hold Security LLC
360 million newly stolen credentials on black market "They can get access to your actual bank account" http://t.co/dexTQuS1Zy
— Vance Crowe (@VanceCrowe) February 26, 2014
Reuters quotes Alex Holden, chief information security officer of Hold Security LLC. According to Holden, this data breach is "unprecedented."
The article goes on to say:
"'The sheer volume is overwhelming,' said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.
Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.
He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.
'We have staff working around the clock to identify the victims,' he said."
According to CNET, Holden's team is still collecting data about the breach. CNET says "Holden has yet to inform affected companies or authorities. He claims that his team is working to identify all the affected companies and will inform them of the breach when the data is collected."
As of this writing, there is no timeframe for when Holden will release this details to the affected companies, nor a timeframe for when those companies will inform any affected users.
2. Many Kinds of Data Were Stolen in the Cyberattack
— Patrick Tutek (@itdatasec) February 26, 2014
According to Reuters, many different types of information were stolen by the hackers, and the data came from some major providers in the tech industry.
"The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text...
The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations."
3. It Is Not Easy to Find Out Whether Your Data Was Stolen
360 million usernames and passwords for sale to hackers! What is the average person supposed to do? http://t.co/sFMhoyLKGN
— Adam Levin (@Adam_K_Levin) February 26, 2014
Unfortunately, at this time, it is rather difficult to tell if your data was part of the 360 million stolen credentials. PC World writes that while it is known that email addresses and corresponding passwords can be purchased on shady, underground forums, there isn't a lot more information to go on right now.
Your best bet to protect yourself at this juncture would be to change all of your email account passwords, as well as all passwords for other online services.
4. It Is Also Unclear How Hackers Stole the Credentials
Security firm says it found stolen credentials from 360M accounts for sale on cyber black markets; unsure of source http://t.co/DeqWwMHQ1a
— NBC News (@NBCNews) February 26, 2014
PC World writes, "It is possible the data came in part from data breaches at dating or job-related sites, which would have large numbers of users, although it has not been confirmed."
When more information is available, we will update this page with any known sites involved in this massive data breach.
5. 1.25 Billion Email Addresses Also Stolen
The guys who analyzed the data stolen from Adobe and Cupid have uncovered 360 mil credentials and 1.25 bil emails http://t.co/LLVoTqu9Fc
— Eduard Kovacs (@EduardKovacs) February 26, 2014
Hold Security posted a message on their website that outlines this February 2014 data breach. They write:
"In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses. These mind boggling numbers are not meant to scare you and they are a product of multiple breaches which we are independently investigating. This is a call to action, and if you are concerned about integrity of your company's user credentials we encourage you to use our Credentials Integrity Services."