'Unprecedented' Number of Stolen Credentials For Sale Online

CYBERSPACE—The fallout from the increase in data breaches could be felt for some time to come as reports come in about the sheer volume of stolen credentials available for sale on the internet's black markets. In the most recent revelation, Reuters reports, "A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access." Though details remain somewhat vague regarding the source of the credentials, Reuters adds that "the discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system." The firm, Hold Security LLC, told Reuters that stolen data it has received over the past two weeks indicates that "an unprecedented amount of stolen credentials is available for sale underground." According to Alex Holden, the company's information security officer, "The sheer volume is overwhelming. We have staff working around the clock to identify the victims." The scale of the stolen data is indeed hard to compute in terms of the potential harm it could cause to individuals and institutions. "Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date," reported Reuters. Problematically, these latest thefts have received no publicity over recent months, according to Holden, who "said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking." Even worse, unlike last year's Abode breach that netted tens of millions of records with encrypted passwords, Holden says that the recent "massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text." Because the news of these compromised accounts is only now being publicly revealed by Hold, other cybersecurity experts are scrambling to assess the situation. But Heather Bearfield from accounting firm Marcum LLP told Reuters that it is "plausible for hackers to obtain such a large amount of data because these breaches are on the rise," and that "hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts." The potential damage is incalculable, she added, warning, "They can get access to your actual bank account. That is huge. That is not necessarily recoverable funds." Needless to say, the situation is also sticky for adult online merchants and credit card processors tasked with assessing the legitimacy of transactions. There are already indications that adult sites are seeing a rise in chargebacks, which some believe is a direct result of recent high-volume credit card thefts. Assuming those black market sales go through, it could be a while before a sense of transactional security returns to the land.