nb_cid nb_clickOther -tt-nb this.style.behavior='url(#default#homepage)';this.setHomePage('http://www.aol.com/?mtmhp=acm50s247banner041514 network-banner-promo mtmhpBanner
14
AOL.com
AOL.com
AOL Mail
AOL Mail
Video
Video
AOL Favorites
Favorites
AOL.com

360 million newly stolen credentials on black market: cybersecurity firm



(Reuters) - A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

"The sheer volume is overwhelming," said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.

He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

"They can get access to your actual bank account. That is huge," Bearfield said. "That is not necessarily recoverable funds."

After recent payment-card data breaches, including one at U.S. retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.

Wade Baker, a data breach investigator with Verizon Communications Inc, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers have gotten better at identifying that type of breach and quickly moving to prevent crooks from making fraudulent transactions, he said.

In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website (bit.ly/1fo5fxx).

(Editing by Richard Valdmanis and Amanda Kwan)

More From You

19 Comments
*0 / 3000 Character Maximum
Filter by:
bocotora1 February 26 2014 at 2:26 PM

I think the time has come where one should place his or her right thumb under a special device to make sure it is the person using his or her credit card. So let us say all the millions of thefts that has occurred and are being sold underground, they wont be able to purchase items because the fingerprint wont be available. The fingerprint won't be on the card it will be kept by the various card agencies and it will only activate when the user place his or her thumb under this special device and the fingeer print matches. Personally most of my charges are done from my home, and I would definitely buy one of those devices to keep at home so I can place my thumb to activate when I am placing an order. It is said that no two finger prints are alike, so maybe this might work. It is just a suggestion.

Reply Flag as Abusive rate up rate down
ddougl7208 February 26 2014 at 8:29 AM

The AOL use of fraudulent headlines is very annoying!

Reply Flag as Abusive rate up rate down
mbrheljr February 26 2014 at 8:09 AM

Those who steal innocent victims' identities need to ROT in prison...

Reply Flag as Abusive rate up rate down
kenmac7 February 26 2014 at 7:32 AM

Is your data for sale on the black market?
A cybersecurity firm reports finding 360 million newly stolen credentials.
How to make sure you're not a victim

I read the artical twice and I still don't how to make sure I am not a victim.

Reply Flag as Abusive rate up rate down
1 reply to kenmac7's comment
Bri February 26 2014 at 12:57 PM

Same here. I was expecting to read what steps we could take, to prevent becoming a victim.

Reply Flag as Abusive rate up rate down
kenmac7 February 26 2014 at 7:29 AM

I don't understand why they can't make this thing waterproof.

Reply Flag as Abusive rate up rate down
DOUG February 25 2014 at 11:56 PM

Never been so happy to be broke. hack me all you want. Cant get anything from an empty account. LOL

Reply Flag as Abusive +3 rate up rate down
3 replies to DOUG's comment
Richard February 25 2014 at 11:22 PM

You can all thank the government and their partners Microsoft, google, if microsoft hadn't made backdoors for the NSA to get in there wouldn't be all of this happening on such a large scale!

Reply Flag as Abusive +1 rate up rate down
Shortnich February 25 2014 at 11:08 PM

I haven't heard that U.S. companies are in the process of encrypting pin numbers as other countries have been doing. Isn't this added security for American card users to protect them from cyberattacks? Is encrypting in the planning stages by card companies?

Reply Flag as Abusive rate up rate down
Mary Ann February 25 2014 at 11:06 PM

Have Your Say...you bet your sweet ass

Reply Flag as Abusive rate up rate down
britishsteel February 25 2014 at 10:57 PM

Technology KILLS .

Reply Flag as Abusive rate up rate down
1 reply to britishsteel's comment
sandral105 February 25 2014 at 11:15 PM

So does non-technology.

Reply Flag as Abusive -1 rate up rate down
~~ 2592000

Voting...

More From Our Partners