Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alleged Massive Account and Password Seizure By Russian Group

Posted by Unknown on from the security-through-well-everyone-else-is-compromised-too dept.

New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?

4 of 126 comments (clear)

  1. Bears repeating by MikeRT · · Score: 1, Insightful

    For those inclined to make moral equivocations between the NSA and the Russian government, both do what the NSA got caught doing. The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

  2. Stored in cleartext? by MoonlessNights · · Score: 5, Insightful

    How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

    Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

    You shouldn't be able to steal a password since the site shouldn't have it.

  3. Re:Is this me? by cdrudge · · Score: 1, Insightful

    How do we know they are mutually exclusive of each other?

  4. Story without any information by Anonymous Coward · · Score: 2, Insightful

    This story seems to have no actual meat to it. They say that a lot of sites have been hacked, some big names, we knew this. Many sites are still vulnerable, we knew this. By not disclosing the sites you're making more people vulnerable, and it's bad for everyone. It's going to take something bad happening to someone to learn the importance of password security for themselves. Some people will never learn certain concepts unless they experience them for themselves.