Science, Tech & Environment

A record Internet data heist can't be fixed with a password change


A magnifying glass is held in front of a computer screen in this picture illustration. A Russian gang has stolen private information from 1.2 billion internet users around the globe in a new story published by The New York Times on August, 5, 2014.


Pawel Kopczynski/Reuters

News emerged Tuesday that a gang of Russian hackers stole more than a billion usernames and passwords from people around the world. What's worse? They're getting more brazen about their attacks.

Player utilities

This story is based on a radio interview. Listen to the full interview.

"In a break from similar Russian hack attacks in the past, these guys weren't afraid of going after Russian sites as well," says David Gelles from The New York Times. He and fellow reporter Nicole Perlroth broke the story about the Russian hacker gang.

The size and scope of the security breach astounds Gelles: 1.2 billion unique usernames and passwords and 500 million unique email addresses, all culled from more than 425,000 websites. "It's simply larger than any breach we've ever seen," he says.

It sounds industrial in nature, but it was a small group of hackers that did all the damage — fewer than a dozen young men in their 20s who all know each other personally, according to Gelles. They're operating out of a small town in south central Russia near Kazakhstan and Mongolia.

It seems like many hacker attacks originate in Russia. So do they get a free pass to function there? Gelles says what many already know: They are very common in Russia. But as far as getting a free pass, that's hard to say. "But I think it's not a stretch to say that the Russian government does not have a great record of tracking these guys down and prosecuting them," he says.

But focusing on Russia hackers takes the focus off the biggest problem in their heist: Lackadaisical security by thousands of companies around the globe. Gelles says what this story really shows is how poor corporate security systems are at stopping attacks. And that's where hackers are getting their data: The website of companies, not from individuals themselves.

But if you want to know who was hit, you'll have wait. The names of the companies aren't public just yet.

Hold Security, a cybersecurity firm based in Milwaukee, Wisconsin, told the Times about the breach. But Hold Security wouldn't release the list of companies, saying it would make the them vulnerable to more attacks if hackers know they're easy targets. Hold Security told the Times it's working to create a tool to allow people to know if they've been hit.

So is it time to change our passwords? It all depends. If you changed your password Monday and a website gets hacked the next day, you'd have to change it again on Wednesday. But that's assuming you know the website has been hacked — and most companies don't. And that's exactly why Gelles says the system of usernames and passwords itself needs fundamental rethinking.