Don’t worry, you’re not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.
Some security researchers on Wednesday said it’s still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.
“The only way we can know if this is a big deal is if we know what the information is and where it came from,” said Chester Wisniewski, a senior security advisor at Sophos. “But I can’t answer that because the people who disclosed this decided they want to make money off of this. There’s no way for others to verify.”
Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.
Hold Security didn’t respond to email and telephone requests for comment Wednesday, though it may have been inundated with inquiries.
To recap, Hold Security said Tuesday it had obtained a massive database of stolen credentials amassed by a gang of Russian hackers. The database contains 1.2 billion unique “credential pairs”—made up of a user ID (mostly email addresses) and an associated password. Looking at email addresses alone, there are “over half a billion,” the company said, since some email addresses correspond to multiple passwords.
To assess how serious the discovery is, researchers want to know how old the credentials collected by the Russian gang are, where they came from, and how well-protected the passwords are by “hashing,” which scrambles the passwords but can be vulnerable to brute force attack.
The age is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee.
Hold Security acknowledged in its announcement that “not all” the credentials are “valid or current,” with some associated with fake email addresses, closed accounts or even passwords a decade old.
It’s also unclear how many of the login and password credentials were culled online recently by the hacker group, and how many were acquired on the black market from previous hacks.
Hold Security said the hackers began by buying credentials from previously attacked accounts, and then did some hacking work of their own. But it’s unclear how many of the 1.2 billion credentials came from previous hacking incidents, and which incidents those were.
“If you take Sony, LinkedIn, eBay and Adobe,” said Wisniewski, naming four of the biggest recent password breaches, “that’s already 500 million accounts.”
Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older “MD5” method, for example, is more vulnerable than a more modern method called “salting,” said Wisniewski.
For now, researchers are left guessing and reading between the lines because Hold Security has not released more information.
“It will be interesting to see if public opinion pressures them,” said Wisniewski.