On Aug. 4, Hold Security announced that a Russian organized crime ring committed a data breach, snatching over 1.2 billion username and password combinations and 500 million email addresses from multiple sources. The email accounts alone account for almost one-third of the world’s email population, making this the largest known hack to ever be reported.

The compromised accounts represent a wide range of organizations in terms of scope, size and location, with personal accounts, small businesses and large, multinational businesses being affected. Some industry experts question the validity of the data, claiming that it was a collection of smaller, previously announced breaches that occurred over the past couple of years.

Report From Hold Security

Until Aug. 4, Hold Security maintained a fairly low profile in the security and intelligence world. However, with its announcement of the Russian organized crime ring data breach, the company has amassed an incredible amount of attention and will undoubtedly capitalize on the opportunity. Hold Security has only released limited information about the data breach and has yet to announce the name of the group responsible. The company intends to maintain control of the specifics around the hack and will use it as an avenue to generate revenue.

According to Sam Frizell of TIME, the organized crime ring “used networks of infected computers (known as a botnet) that had a computer virus to scour the Internet for vulnerable websites. Whenever a user on an infected computer visited a website, the computer tested the website to see if it was susceptible to hacking. If it was, the criminals flagged the website and returned later with a hack called an SQL injection, which reproduces the website’s database contents.”

Summary of Data Breach Intelligence

The following is the information that has been released thus far regarding the reported data breach:

  • A reported 1.2 billion username and password combinations were hacked, plus more than 500 million email addresses.
  • Hold Security would not name victims nor release the name of the Russian organized crime group(s) responsible.
  • The organized crime group is believed to be part of a crime ring based in a small city in south-central Russia between Kazakhstan and Mongolia.
  • The Russian hackers targeted multiple organizations in countries around the globe, ranging from Fortune 500 companies to very small, locally owned websites (this includes Russian organizations).
  • There was no particular method involved in the way websites were targeted. Any website the hackers could access was used to harvest credentials, and many of these sites are still vulnerable.
  • There is no indication that the Russian group has sold any of the records at this time.
  • The group appears to be using the stolen credentials to send spam on social networks such as Twitter at the behest of other groups, collecting fees for their work.

Hold Security’s website offers individuals a way to see whether their email addresses or passwords have been compromised.

Analyst Comments

The risk of this particular breach lies within human nature since most individuals utilize the same passwords for login credentials on multiple websites. Fraudsters are aware of this habit and use it to their advantage by testing the stolen credentials on various websites. Moreover, the risk of identity theft is much greater in this case than previous mass-compromise incidents involving major retailers. While costly to the card issuer, a debit or credit card compromise is much easier to remedy; issuers simply monitor card bins and execute a block issue on the entire bin if fraud thresholds are met. However, identity theft represents a more complex issue that requires extensive time and resources to resolve.

How the Data Will Be Used

The credentials may be used to cross-check websites that allow email addresses to be used as a username. Since individuals often use one password across multiple sites, the cyber criminals will attempt to enter those credentials into known sites that allow emails to be usernames. Access gained to social networking sites will provide valuable personal information to the fraudsters that will enable further targeted action against the victim.

Cyber criminals will also modify their cross-site check strategy by using the email account information up to the “@” symbol as a username. For example, [email protected] would become “JaneDoe” as a username with the email password. Individuals often use their base email address as a username along with their standard password.

If the email addresses and password checks don’t work, cyber criminals will attempt to retrieve the username and password by clicking the “Forgot Username” and “Forgot Password” prompts that are found on most websites. If the email on record is the same as the compromised one, the cyber criminal will have another chance to gain access by intercepting the recovery email sent to the compromised email account.

Compromised business or corporate emails may be used as a research tool to potentially develop a spear-phishing campaign against the owner of the corporate email. If the cyber criminals are able to successfully identify the person and company associated with the email, they can craft a spear-phishing email to gain access to the organization’s computer systems through malware delivery.

The owners of the email accounts will likely begin to receive spam emails, which is the easiest attempt at a compromise. However, the following different variations and levels of sophistication may be used:

  • General Spam (Phishing): These spam emails are delivered to a large group and will have subject lines crafted to entice the recipient to open them. Once opened, these emails will likely contain a link to a malicious website or document that will download malware onto the victim’s computer.
  • Customized Spam (Spear-Phishing): If the email activity of the account owners reveals the retailers they shop from, the spam email will be strengthened. It may be customized for the account owner’s location and will promote items they typically buy or stores they typically buy from.
  • Spam Bot: Cyber criminals may be able to use compromised email accounts to send out spam emails from the victim’s contact list. These spam emails will be enhanced because they are going to individuals from a known sender. This increases the chances of a targeted victim opening the email and potentially clicking on the malicious link embedded within the email.

As more information is released about this data breach and who is responsible, there will be more insight into how this compromised data is being used.


This article was coauthored by Brook Satti and Joel Townsend, IBM Red Cell

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today