Russian criminals have stolen 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history, a respected security firm said Tuesday.
You should should take this time to change your passwords and be diligent in using safe password protocol – such as using a variety of passwords for different sites.
6 ways to keep your passwords safe
Online marketplace eBay is the latest website to report a massive cyber breach, encouraging users to change their passwords.
USA TODAY Network lists six tips for you to keep your passwords safe.
1. Use a different password for every website you visit.
We know it seems like password overload but it is a lot less work than dealing with getting hacked.
2. Use a combination of upper case, lower case, numbers and symbols.
The more original you are the better. According to Norton, some of the most common passwords created by online users last year were password, 123456, qwerty, 111111 and monkey.
3. Change your passwords every three months.
4. If it’s hard to remember all your passwords, try a password manager.
5. Make sure your computer has an anti-virus program.
6. Set up two-step log-ins
Two-step authentication asks you to sign in with your password, and then add a second sign-in — a numeric code sent by text, e-mail or a phone call. Think of it as a double password.
Google, Facebook, Twitter and Microsoft all recommend two-step authentication.
There’s no need to panic at this point — Hold Security, the firm that discovered the theft, says the gang isn’t in the business of stealing your bank account information. Instead, they make their money by sending out spam for bogus products like weight-loss pills.
The Milwaukee-based firm, didn’t reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing vulnerabilities from being more widely exploited.
Hold Security founder Alex Holden told CNNMoney that the trove includes credentials gathered from over 420,000 websites — both smaller sites as well as “household names.” The criminals didn’t breach any major email providers, he said.
A credential pair consists of a user name — often an email address — plus a password. There are roughly half a billion email addresses in the gang’s collection, Hold Security says.
Holden said the gang makes its money by hacking into email and social accounts, posing as trusted friends and family and advertising bogus products. That means that if you see strange messages being sent from your email or social media accounts, you might be among those affected.
“It’s really not that impactful to the individuals, and that’s why they were under the radar for so long,” Holden said. “They’ve ignored financial information almost completely.”
But Holden said the gang’s success at amassing passwords demonstrates that weak security procedures are common on websites of all sizes.
The criminals began collecting user data a few years ago by simply buying it on the black market. Their stash has grown significantly this year thanks to their use of an automated program that trawls the Internet to find vulnerabilities on websites, Holden said.
The reported theft dwarfs the one revealed last year by discount retailer Target ( ), which admitted in December that hackers had stolen credit- and debit-card data from 40 million accounts.
Hackers from Russia and Eastern Europe are known for launching sophisticated cyberattacks for financial gain. Beyond spam, organized crime syndicates in the region have engaged in more sophisticated activities like corporate espionage and the theft of credit-card details.
The extent of the theft shows people need to better manage their credentials, cybersecurity experts say. Most people keep the same password for multiple services, such as banking, email and social media accounts. That allows hackers to turn a single password database into a treasure trove.
One simple way to stem the damage is to use two-factor authentication whenever possible to sign into online services, said Eric Cowperthwaite, an executive at network security provider Core Security. This method requires you to enter a second password, usually generated by your smartphone, upon login.
Jay Kaplan, CEO of cybersecurity firm Synack, criticized the companies involved for not being alert enough about their own security.
“It’s likely that most of them do not even realize how many times they’ve been compromised,” he said.