Force all users in your organization to change their network access passwords, and passwords to mobile devices such as phones and tablets. Encourage them to create strong, new passwords that do not resemble their old passwords.

Tuesday afternoon, the New York Times reported that an organized Russian criminal group bought and stole approximately 1.2 billion user name and password credentials, associated with more than 500 million email addresses from hundreds of thousands of websites – both major and smaller –  around the world. The article reported that the group of hackers used a large botnet to methodically probe websites for vulnerabilities that could be exploited using a SQL injection attack. Making matters worse, although the attack was revealed, the victim websites, companies and individuals were not, leaving many with the question of “Am I vulnerable? and what do I do, now?”

Before taking any action, there are a number of things to understand:

What is a SQL (pronounced “SEE-QWELL”) Injection attack?

Some websites allow legitimate users to submit and retrieve data from a database that stores information important to the website’s functionality. Login pages, support and product request forms, feedback forms, search pages, and shopping carts are examples of features of web applications that are susceptible to a SQL Injection attack. In a SQL Injection attack the hacker attempts to enter SQL commands through web application that gets executed and gives the hacker access to the backend database. In other words, many, but not all, web pages and applications are susceptible to a SQL Injection attack.

If the hackers have your passwords and you change them, the hackers will not be able to use the passwords they already have to access your accounts...

If the hackers have my passwords or my customers’ or employees’ passwords what will happen?

The hackers typically attempt to use your user ID or email address and passwords to send spam or access important web sites, such as banking sites (to steal or transfer money) or social media sites (to gain access to your contacts’ information or to send spam from your account). If the hackers have your passwords and you change them, the hackers will not be able to use the passwords they already have to access your accounts.

Why do hackers do this?

Sometimes for money, sometimes for bragging rights. When hackers steal a company’s entire user password database, they may want to make a company look unsecure to tarnish its reputation. When hackers use individuals’ passwords to access social media sites or email accounts, they can make money by getting paid to send spam from the individuals’ accounts.

What do I do? 

The New York Times article and the study do not reveal who the victim web sites, companies or individuals are. Regardless, there are some basic steps that you should take, after consultation with your experienced IT Staff:

1. Force all users in your organization to change their network access passwords, and passwords to mobile devices such as phones and tablets. Encourage them to create strong, new passwords that do not resemble their old passwords. In the event that login/password credentials for your entity were compromised, this will help minimize harm that these hackers could cause.
2. Remind users not to allow their web browsers (or smart phone apps) to store/save their passwords.
3. Advise your employees/staff/volunteers to change their personal passwords for social media, email, and financial accounts, especially if your employees tend to use the same password to log into work and personal accounts. Suggest that they use two-factor authentication where sites offer it (many banks, email providers, and social networking sites offer users the ability to have a text-message sent to them with a code number that can be used as a type of second password to access the account).
4. Engage IT to review security access logs to determine whether there is any evidence that login/password credentials have been misused to gain access to your organization’s network. It is also a good idea to preserve the relevant logs (firewall, VPN, etc.) if it turns out later that you discover your organization was subject to this attack. Often organizations over-write logs or retain them only for a short period of time, which makes later analysis difficult or impossible. Keeping logs today will be critical in determining the scope of the attack and the data that was exfiltrated – both of which are crucial in determining the extent of notification obligations you may have – if you discover your organization was compromised tomorrow.
5. Engage IT to ensure all web (or other) servers and users’ computers or other tech devices have the most up-to-date security patches on them. This will not prevent attacks from vulnerabilities that are not yet discovered, but it helps prevent against all known attacks, which is a must in this day and age.

*