Security Brief: 1.2 Billion usernames and passwords hacked through national websites

Many of you may have seen the announcement that Criminals in Russia have stolen 1.2 billion user names and passwords. This is more than 5 times the entire US population! Hold Security based in Milwaukee reported their findings this week but due to confidentiality agreements can not divulge who those clients/websites are. It is known that these websites belong to fortune 500 as well as local mom and pop companies. In several weeks Hold Security is expected to offer a free service where you can find out if your website was hacked.

This was accomplished by exploiting vulnerable websites and utilizing phishing campaigns to gather these user names and passwords from unsuspecting people all over the world. Not all of these websites have been patched or fixed but most have or are in the midst of completing their remediation plans.

Since we don’t know what sites were affected we should assume that most of the US population has had some kind of exposure to this criminal event. This is the largest hacking event in history and is 7 times larger than the Target breach. This breach does not affect credit card information directly but hackers could use the stolen usernames and passwords to gain access to credit card and banking information. The safest plan is to change every password that you have for Amazon, Gmail, eBay, Expedia, and any other common websites that you use. Most banks and financial institutions are using a two factor authentication system. These tend to be much more secure and hold up against such phishing campaigns like this and we highly recommend taking advantage of this security feature if offered by your banking institution. If your bank does not have this two-factor authentication in place, you may want to consider changing that password and consider looking for a banking institution that has implemented this security feature

We know that it is a pain to have to change all of your passwords, but it is really the only thing you can do to ensure that your sensitive information stays secure. We would also recommend that in 60 days you go back and change passwords again. The reason behind this is to give those sites that are being notified time to correct the issues and shut down the vulnerability. Then the second round of changes should have a much higher level of confidence. And as always please remember to not click on any links in e-mails that want you to download something you have not previously requested or offer to check the “strength” of your password.

For more information please read our Blog entitled Security Reminder Phishing emails posted on our website

Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here