FBI investigates Russian hacker that stole billions of login credentials
A suspected Russian hacker claiming to have stolen 1.2 billion unique email and password combinations is being pursued by the FBI. The hacker has also offered access to hacked social media accounts.
This information was brought to the FBI by Alex Holden, CISO of Hold Security in Milwaukee, Wisconsin, in the USA. In August 2014, Holden warned that he found, “what could be arguably the largest data breach known to date.” According to Reuters, it was made public last week by a federal court in Milwaukee.
Hold Security said the “Russian crime ring” assembled the stolen credentials partially by scanning websites for flaws. A total of 4.5 billion records were amassed, including username and password credentials and more than 500 million email addresses.
“A review of this information revealed text files containing, inter alia: username and passphrase credentials, credit card information, social security numbers, email addresses and file transfer protocol (FTP) accounts,” said Eliot Mustell, special agent for the FBI Milwaukee bureau’s Cyber Crimes Task Force.
In the search warrant, the bureau found that two of the test email addresses connected with the malicious applications discovered by the FBI were “email@example.com” and “firstname.lastname@example.org”, both of which are run by Microsoft. Both emails potentially lead back to people involved in illegal activities.
Microsoft provided the subscriber information in response to a subpoena in October 2014 for the account holder of the email@example.com address. The account holder was found to reside in the state of Kursk, Russia. Some logins were made from an IP address with a Luxembourg-registered service, as the hacker probably used a virtual private server to mask their identity.
Bureau agents also discovered that on the Russian hacking forum “exploit.in”, a user named “mr.grey” engaged in discussions concerning spamming and malware. This user also provided hacked accounts for Facebook, Twitter and VK, aka the Russian site VKontakte. Holden admitted that a message from mr.grey indicated that he operated or had access to the database that contained the billions of stolen records.
The search warrant states that records acquired from AOL showed that the email address firstname.lastname@example.org was the contact information for Fereydon Abdollahyan from West Wickham, Kent, Great Britain. Agents tried creating a new AOL email account email@example.com, but AOL sent a message stating that the username was already in existence.
In the wake of the findings by Hold Security, some security experts have used the discovery to warn of website security shortcomings across the board.