Yesterday, The New York Times dropped an exclusive account of what reporter Nicole Perlroth called "the biggest hack ever." By the numbers it certainly held up: 1.2 billion accounts, covering 500 million unique email addresses over 420,000 websites. The data had been captured by a Russian hacker group called CyberVor, and revealed by Hold Security. But as the smoke clears, the hack seems to be less of a criminal masterwork than the article might have you believe.
Hold Security is already capitalizing on the panic
The biggest problem, as Forbes's Kashmir Hill and The Wall Street Journal's Danny Yadron have noted, is that Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it's just trying to recoup expenses, but there's something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is.
Of course, facts are still facts, but even the hard data here is a little strange. If the idea of hacking 1.2 billion usernames sounds incredible, it should. There are just a handful of services with over a billion users — Facebook, Google Search, and Microsoft Office lead the pack — and if any of those were involved, Hold wouldn't be shy about saying so. Instead, this data comes from hundreds of thousands of compromises over the course of months. Comparing it to breaches like Adobe or Target, as Perlroth does repeatedly, simply doesn't make sense.
Comparing it to breaches like Adobe or Target simply doesn't make sense
It would still be impressive if CyberVor had managed to hack that data across all 420,000 sites, but even that is unclear. Here's Hold Security's description of the attack:
Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks... [which] used victims’ systems to identify SQL vulnerabilities on the sites they visited.... eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
Notice anything odd? Both Perlroth's article and Hold Security's description stop short of saying the group actually stole all 1.2 billion passwords. They just "eventually ended up" with them. We already know the gang started out by buying data from earlier hacks, but it's remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else's hack.
SQL injection is a powerful technique, but a common one
But what about the high-rolling corporate security involved? Hold Security says the companies affected range "from Fortune 500 companies to very small websites," but their technique is much better suited to small sites than major corporations. SQL injection is a powerful technique, but it's also a common one. Hackers have been using the attack for more than a decade, and any security professional would know to protect against it. It's always possible that a Fortune 500 company left themselves exposed (you should never underestimate incompetence), but it seems like a long shot. Most comparable hacks (Target, Adobe) involved extensive research and multistage hacks that were tailored specifically to that company, much more sophisticated attacks than the one Hold describes.
If CyberVor were shopping for the Fortune 500 data instead of cracking systems, on the other hand, the group would have had plenty of options. The data could have come from Target, LinkedIn, or an upstream breach like the Global Payments hack in 2012. All that data is still kicking around the darker corners of the web, available to anyone willing to pay for it. The usernames get cheaper as they get older, so in the case of a two-year-old hack like Global Payments, counting to a billion wouldn't even be that expensive.
The data may be more about quantity than quality
The biggest red flag of all, though, is that CyberVor isn't trying to sell the data or use it to steal actual money. They're using it for Twitter spam, the dark web equivalent of boiling the bones for stock. If there were anything else they could do with these passwords, it would be more lucrative and more sustainable than spamming. The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.
What you're left with is something of a mess. Clearly CyberVor has been busy, and they seem to have done real damage. Spammers are bad, and cracking small sites is just as bad as cracking big ones. But the most impressive aspects of the hack (the 1.2 billion accounts, the 420,000 sites) all have more to do with how the hack was framed than how it was carried out, and it's easy to see why. No one was going to pay $120 a year just to find out if their Twitter might get hacked.