Unfortunately, it is highly unlikely that either impacted companies or consumers will have recourse against the Russian hackers...
The theft of more than 1 billion (yes, with a “B”) and 500,000 email addresses by Russian hackers is yet another wake-up call for businesses and consumers alike. Questions persist as to whether the story released by Hold Security is completely accurate given that very little concrete information outside “the headline” has 
been released or made available. According to the New York Times, an independent (but unnamed) security expert verified the database of stolen user details.
Even if there is a scintilla of truth to this story -- and it is not out of the question – companies and consumers need to sit up, pay attention, and take action. Unfortunately, it is highly unlikely that either impacted companies or consumers will have recourse against the Russian hackers.
Companies need to take development and implementation of their online presence seriously. According to reports, the Russian hackers did not target large or small or US-only companies. The theory is that they discovered a programming vulnerability allowing them access to user information stored by the website. Once that was discovered, the hackers then cruised the Internet to find every other website with that same vulnerability and “hoovered" up anything they could access exploiting that vulnerability. It could have resulted from anything from failures to update code, apply patches, or to vet developers. We also do not know whether the user names and passwords were hashed and encrypted or whether they were in clear text. If the user information was stored in clear text on 430,000 websites, that is a far more interesting and important development. The Adobe breach numbers were quite large, but many of the user credentials proved to be disposable or no longer active.
...whether or not this story is completely accurate, it is time for password hygiene.
Regardless, website owners should take notice and analyze their code and apply patches as soon as they are released. If you have not had a risk and vulnerability assessment performed on your website since you went live in 2005, you are seriously overdue. Failures to provide reasonable security for user personal information could be a violation of your website privacy policy – “we take your security seriously” – and could subject the company to Federal Trade Commission scrutiny. Further, a breach of this nature is reportable under the breach notification laws in both California and Florida, as recently amended: “Personal Information” includes user name or email address, in combination with a password or security question and answer that would permit access to an online account.
For the rest of us (because we are all website users), whether or not this story is completely accurate, it is time for password hygiene. Until other solutions to the username/password convention to access online information come into practice, users will need to adopt other means for protecting their own identities. Stolen credentials are sold on the “dark web” every day. If you have a single user name/password for all of your online life, it is time to change that very bad habit. Changing all of your passwords immediately is not absolutely necessary, although some security experts are recommending that drastic course of action. It is more practical to start with smaller steps. Use distinct (and strong) passwords for those online accounts most important to your life and keep a close eye on accounts. Use a password manager to help create more secure passwords and to organize them all and the best use two-factor authentication. Secure your home network and do not trust third-party free Wi-Fi hotspots for any online transactions that require the use of a password.
We need more information from Hold Security, and we hope that it is forthcoming as a public service and without charge for “breach notification” services.
*
[[Cynthia Larose is chair of the Mintz Levin’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP). Among other things, Cynthia represents companies in information, communications, and technology, including e-commerce and other electronic transactions.]
