1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Data heist: Five facts

Nastassja Steudel / nhAugust 6, 2014

A group of Russian hackers are said to have amassed more than one billion Internet passwords. That could mean almost half of all users online are affected. Here are five things you need to know.

https://p.dw.com/p/1Cq5g
Image: Fotolia

1. What did the hackers steal?

According to information gathered by the "New York Times," the Russian hackers amassed a total of some 4.5 billion records. Many of those records overlapped, but some 1.2 billion are considered unique. The hackers were able to do so because of a security vulnerability in the process of database queries. The stolen access combinations for Internet profiles were collected from a total of some 420,000 websites - among them big companies as well as small websites. The records consist of user names and passwords. Worldwide, more than 500 million different e-mail addresses are said to have been targeted. Since many Internet users have several e-mail accounts, it is hard to tell how many people are affected by the data heist. The list could include old profiles or spam accounts. The affected websites have not been named yet. Most of them are still considered vulnerable, and not all website operators have been reached yet.

2. Who is behind the data heist and who uncovered it?

The paper named IT security company Hold Security, based in the US, as having found out the hackers. Their experts are said to have discovered the stolen records in underground channels on the Internet, and to have communicated with the members of the crime ring. According to Hold Security, the criminals are based in south central Russia. The group consists of fewer than a dozen men under the age of 30 who know each other personally and operate extremely professionally.

3. What can the hackers do with the records?

So far, the attackers have largely been using the stolen information to send spam on social networks like Twitter, according to Hold Security. They also sent links to malware. They appear to be considering selling their records, since it is a lucrative business on the black market. Many Internet users access different websites with the same combination of user names and passwords, which makes them easy prey for the data thieves. Unlike credit cards, which are easy to cancel, American social security numbers are an ideal possibility for criminals for identity theft.

A Laptop flanked by other devices
IT experts urge users not to use the same password across accountsImage: picture-alliance/dpa

4. How do I know if I'm affected?

Hold Security, the company that discovered the data heist, aims to set up a so-called Identity Protection Service for Internet users over the next 60 days. If you pre-register for a subscription, you'll find out if you're personally affected by the data theft. Preregistering is free for now. Operators of websites have to pay an annual fee of $120 dollars (90 euros). In Germany, the Hasso Plattner Institute in Potsdam has been offering a free Identity Leak Checker (in German) since May. Subscribers can check whether their names, passwords, account details or other personal data have been stolen and spread online. The database comprises 170 million stolen or phished datasets.

5. What can I do if my data has been stolen?

Don't panic, is the first piece of advice from Sandro Gaycken, an IT security expert with Berlin's Free University. "Seen from a risk perspective, those mass thefts are generally not actually dangerous," he says. The thieves themselves don't benefit from the data directly. In order to misuse it fraudulently, the hackers would have to type in individual passwords and user names manually. Most criminals consider that too big an effort, said the expert. "It's actually a petty offence." He advises victims of data theft to still play it safe and change their user name and password - and, above all, make sure that to use unique passwords for various accounts. The safest password is one that doesn't consist of the following: your user name, your real name, your date of birth, nor other data that can easily be linked to your person.

Sandro Gaycken
Gaycken: Data theft on this scale poses little danger to individual usersImage: picture-alliance/dpa