Another breach, another dollar: Is it time to kill the password?

Security experts trade likes and votes to recover 1.17 billion credentials that show password re-use still alive and well
Written by John Fontana, Contributor

A kid from a small Russian town accepted likes and votes to his social media pages in exchange for turning over to a group of security experts 1.17 billion stolen credentials he had collected on the underground web.

The exchange may be the greatest example to date of the value of today's password-based end-user credentials. There are so many credentials floating around in the dark corners of the web, their value has taken a beating. But hackers with these stolen records know people use the same credentials across multiple sites. Often times those sites contain valuable assets or private data, such as online bank accounts and health records

This year's annual Verizon Data Breach Investigations Report showed 63 percent of all breaches included the use of stolen credentials, up from 51 percent in last year's report.

The Verizon report also said the lack of basic two-factor authentication continues to plague enterprises, a technology, the report said that "would mitigate an entire swathe of these breaches."

Initial inspections by the firm that recovered the credential records, Hold Security's Deep Web Monitoring practice and Credential Integrity Services, showed heavy reuse.

"Out of 80 million credentials starting with the letter "a" only 19 million unique credential pairs are found. It is not unusual that most people still reuse credentials across different services, but nearly a 75% overlap is substantial," the company wrote in its report on the incident.

The trove was said to contain the credentials of nearly 90 percent of Russia's Mail.ru customer base. In addition, the cache contained the stolen records of tens of millions of Microsoft, Google and Yahoo email users.

All three providers offer two-factor authentication schemes based on software or hardware to protect accounts, which means hackers with your credentials can't get into your accounts without your authentication second-factor.

The kid's cache was taken in by Hold Security, which did not pay for the records. The Russian kid was asking for less than one U.S. dollar, which Hold Security refused to pay, instead bartering with the kid using social media hugs.

Hold Security is known for such record recoveries, including work with investigative reporter Brian Krebs to recover the Adobe user database including 153 million records, then with 360 million records in February 2014, and finally uncovering 1.2 billion credentials stolen by a Russian cyber gang in what Hold Security calls the most substantial breach known to-date.

The Russian kid's collection eventually amounted to 1.17 billion stolen credentials, of which 272 million were unique to Hold Security's security experts.

The security experts reported the stolen data also consisted of "information from a major Eastern European communication firm, some medium size online service providers, and mostly unattributed data moved around by hackers in search of easy gains."

These companies lost your data in 2015's biggest hacks, breaches

Editorial standards