The New York Times reported this morning that a Russian gang has managed to steal 1.2 billion usernames and passwords, and over 500 million email addresses, from vulnerable websites.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.
At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
Alex Holden of Hold Security said most of the targeted websites were still vulnerable.
The full story is available on the New York Times website.
This would be a good time to change your passwords on the websites you use. Make your passwords “hard”, by not using common words, and by including both upper and lower case letters, numbers and punctuation symbols. They should also be of a decent length, at least 8 characters long.
You could use a service like Lastpass, which will assist you in managing passwords. Lastpass generates secure passwords automatically, and remembers them so you don’t have to. If you prefer to remember your password yourself, you can use the Password Generator provided by The Best VPN.
Protect your Website
This data was apparently stolen by making use of a common website vulnerability called “SQL injection”, which is a technique that attempts to execute SQL commands by entering them into forms on your website. Your website should be designed to block these attempts.
WordPress combined with the iThemes Security plugin is an almost impenetrable combination, which will block SQL injection and most other attacks.