Experts are still trying to assess the damage from a data hack this week where reportedly a Russian crime ring has amassed the largest known collection of stolen internet credentials — 1.2 billion usernames and password combinations, more than 500 million email addresses and 420,000 websites. It is being called the largest security breach ever and the former FBI Cyber Squad Supervisor and now Kroll Cyber Security Managing Director Tim Ryan told NJTV News Anchor Mary Alice Williams that people who use the same username and password for multiple online accounts should change all of their passwords to unique ones for every account.
Ryan said that if the company is taken at its word, people discovered 1.2 billion usernames and passwords in the open that were seized by Russian attackers. He said what he does not know is how easy it would be for the attackers to use those passwords because he does not know what format they were in, whether they were encrypted or whether they could be readily used.
Ryan said that the company is reporting that the information was taken from a variety of websites throughout the internet from small companies all the way up to Fortune 500 companies. He said that the company that found the passwords has not been very specific as to where the breach occurred or exactly what other companies are affected.
He said that he has seen some cases where he believes that this kind of data, if not the specific data set, then that type of data is being used. He said that he is working some active breaches right now where he knows the “bad guys” have gotten their hands on some usernames and passwords and they are breaking into companies by using them.
He said that his concerns are to the extent that any company allows customers to get access to a rewards program or finances and all that company does is use a username and password. He said that his concern is that there is a chance that the username and password may exist on this list. He said that the company needs to give serious thought to either scrutinizing how those passwords are being used and whether there is legitimate access to those accounts right now or whether they should be changing everybody’s passwords.
“I think for each user to the extent that they are using the same password on multiple websites, then I think yes they should change their passwords across all of those websites. They should have a unique password for each website and each online account that they have,” said Ryan.
When asked how this attack is different than the Target breach, Ryan said that in the Target case, Target was able to do forensics and determine how the attack occurred and was able to figure out what date it occurred and what happened. He said this case is a little different because the firm that found the data found a bunch of usernames and passwords dumped on the internet so they do not have the insight into the companies to know when these usernames and passwords were valid. He said for all he knows, the company found credentials that may be 10 years old or they may have found credentials that were 10 minutes old.