Another week, another record-breaking fraud trove. To be precise, 1.2 billion unique data records in the hands of fraudsters. Researchers at Hold Security identified a cyber gang in Russia, which the security firm dubbed CyberVor, in possession of the largest stash of stolen identities, emails and personal info yet uncovered in one single criminal organization.
Among this data set were over 500 million email addresses, including passwords, plus many social logins. To get the data the gang relied on a multi-phase approach: first purchasing a database of credentials, then using those to install malicious software on the owners' machines; then, second, using a botnet to probe 420,000 sites, before breaking in and stealing all credentials they could access within those compromised networks. Quite a haul.
For consumers, sadly, there's a reasonable chance that your credentials for one account or another are somewhere in that list. Lesson: change your passwords; protect your most critical stuff by using unique passwords for those accounts, and changing them from time to time. Though it's not much of a silver lining, it appears that the credentials have not yet been used for fraud. According to SCTimes, they have been used only for spamming, to date, but that could change.
For online retailers, this further increases the attack surface you face with online fraud, as the number of potentially compromised "real people" expands. And it also points to the importance of putting in place a strong ecommerce antifraud system if you don't have one already.