A record Internet data heist can't be fixed with a password change

Player utilities

This story is based on a radio interview. Listen to the full interview.

Audio Transcript:

Marco Werman: Here's another news story from Russia that we should all be worried about: a gang of Russian hackers has amassed more than a billion username and password combinations from a wide variety of websites. This is considered to be the largest collection ever of stolen internet data and the hackers are getting more brazen.

David Gelles: In a break from similar Russian hack attacks in the past, these guys weren't afraid of going after Russian sites as well.

Werman: That's David Gelles from The New York Times. He helped break the story about this latest virtual heist by Russian hackers.

Gelles: It was just an astonishing number that took a moment to get our head around, frankly. 1.2 billion unique username and password combinations, 500 million unique email addresses pulled from 420,000 or more individual websites is simply larger than any other breach we've ever seen.

Werman: It sounds industrial in nature and yet this is being attributed to a Russian hacker gang. Who are they?

Gelles: As far as we know, this is a group of fewer than a dozen young men mostly in their 20's, all whom know one another personally, not just virtually, and who are operating out of a small town in south central Russia, the region flanked by Kazakhstan and Mongolia. The fact that a small group like this was able to seemingly inflict such widespread damage just goes to show how weak most companies' security measures are.

Werman: You say "companies," so who were they targeting? Were they targeting the minnows, like users like you and me, or were they targeting bigger fish?

Gelles: The way this worked is that they actually went to these hundreds of thousands of websites and extracted the data from their databases. So in this case, the ones at fault are really the companies and organizations that have too weak security on their site and the victims are you and I, people who trusted these organizations and companies with our data and who simply just were not secured by them.

Werman: If you're one of these users on one of these sites who changes their passwords regularly, you would have been affected anyway?

Gelles: They have passwords stretching back for years and they also have very recent data, according to security experts outside the firm who we consulted to verify the data. So this is an enormous trove and updating your passwords regularly helps, but even then the scale of this breach is so unprecedented, it's hard to say that anyone's username and password is really secure at this point.

Werman: Can you just give us a few of the sites that they hacked?

Gelles: Unfortunately, we don't have the full list. Hold Security is the group that uncovered this, understandably wanted to keep that information private for now at least, because these sites are still vulnerable. So if they came out and said "Company X was attacked by these guys," that would be a red flag for every other hacker that says "Oh, these guys have such lack security, why don't we go there and get them to?"

Werman: I feel like anecdotally, whenever I hear about these hacks, quite often it's from these hackers in Russia. Are these hacker groups common there and do they get kind of a free pass to function in places like Russia?

Gelles: They're very common there and as for a free pass, I don't know if they have a free pass but I think it's not a stretch to say that the Russian government does not have a great record of tracking these guys down and prosecuting them.

Werman: Let me take that a step further: do you see this possibly as a form of cyberwar. Is there anything to suggest that the Russian government was behind this?

Gelles: The guys who uncovered this specifically said that there is no evidence that the Russian government was involved with this or has sanctioned this, so I think we don't want to make any suggestions to that effect.

Werman: It really feels like keeping personal information out of the hands of thieves is like whack-a-mole. You nail one but they just go somewhere else, along with it seems hundreds of others. Is the decentralized nature of the net just our worst enemy?

Gelles: I think what you said is absolutely right, it's whack-a-mole now and that is prompting security experts to call for something other than the username and password as the main security mechanism. There's a lot of work being done in biometrics and the truth is we're in this limbo phase where username and password combinations are clearly insecure and yet we don't have the technology widespread enough to have a more secure method that's easily deploy-able just yet. So, I think we're going to see more of these in the years to come.

Werman: Just kind of on the news you can use front, we hear that to best protect ourselves we should change our passwords on a regular basis. You said that this hack goes back years and lots of passwords that people have had and changed. I guess the logic that passwords are harder to hack if you're a moving target - but what if you change your password on Monday and on Tuesday there's a hack - I wouldn't still benefit from the password change, would I?

Gelles: Not at all. You would have to change it again on Wednesday, and this is exactly why people feel like that the system itself needs some fundamental re-thinking.

Werman: David Gelles with The New York Times, thanks so much for speaking with us today.

Gelles: Thanks for having me.