Just this week, we learned that a small group of hackers in Russia amassed a database of 1.2 billion stolen user IDs and passwords.

Hold Security, the Milwaukee, Wis.-based company that disclosed the incident, described the incident as "arguably the largest data breach known to date."

The Russian cyber gang targeted websites indiscriminately, hitting Fortune 500 companies and mom and pop sites alike. Hold Security reported the thieves "amassed more than 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses."

From Bad to Worse

To get such an impressive number of credentials, the gang robbed more than 420,000 web and FTP sites.


The massive theft is disturbing news. But what's even more unsettling is the fact that the attackers used alarmingly simple means to get the data. As web security firm Incapsula noted, the process was easy enough for even the most novice hacker to do.

But there's more. According to Incapsula's 2013-2014 DDoS Landscape report, application level distributed denial-of-service (DDoS) bot traffic is up 240 percent in the past year.

A bot is a type of malware that allows an attacker to take control over an affected computer. Also known as web crawlers, robots or spiders, bots are usually part of a network of infected machines, known as a “botnet,” which is typically made up of victim machines worldwide.

"About 61.5 percent of all web traffic is now bots — and the increase in botnet activity in the past year means this trend is not going away," said Tim Matthews, vice president of marketing at San Francisco-based Incapsula.

What You Need to Know

CMSWire asked Matthews to share his insight on the Russian data theft — and how we can protect ourselves.


CMSWire: What do companies and brands need to know about the recent theft of passwords?

Matthews: The problem of credential theft is pervasive, and the volumes are staggering. The theft of credentials has several serious consequences. First, if the user’s name is also stolen, this type of theft constitutes theft of personally identifiable information (PII), a serious data breach that may require disclosure. Failure to do so may put the company in violation of various state, federal, national and agency regulations. Also, companies should realize that theft of employee credentials puts critical systems and databases at risk. Lastly, several studies have shown that breaches lower confidence in brands, ultimately causing customer churn and lost business.

Learning Opportunities

CMSWire: In simple terms, how did the cyber gang accomplish this?

Matthews: The attackers had two approaches. First, they targeted web applications and issued phony queries designed to extract sensitive data from the application’s database. This is known as a SQL injection attack. Second, they sent bogus emails to trick users into entering their credentials on lookalike sites. This is known as phishing.

CMSWire: What can companies and brands do to protect themselves and their customers?

Matthews: Web applications should be shielded from these types of attacks using a web application firewall (WAF). Critical systems should require two-factor authentication, typically where a random number is displayed in an app or texted to a phone, and used for login. All admin pages on web applications should require two-factor authentication. And companies should consider requiring two-factor authentication for all their users. Google Authenticator, for example, is free, works on iPhone and Android, and is easy to integrate.

CMSWire: What can individuals do?

Matthews: Use different passwords on different sites, so that if one is breached the stolen credential cannot be used on other sites. For example, don’t use the same username and password on your child’s soccer registration site and your personal banking site.

CMSWire: How do we keep the web safe when this kind of activity is growing so fast?

Matthews: First, we need to move away from simple usernames and passwords. Two-factor authentication has been around for decades, and is now free and easy to use. We should all use it. Second, companies should rely on cloud security services that are constantly updated, rather than applications that require IT staff or small business consultants to update. Things are just moving too fast.

Title image by Miljan Mladenovic/Shutterstock.