September 11, 2014

Google denies breach after hackers leak millions of user logins

Thursday 11 September 2014 09:30
Google has denied that its computer systems were breached and downplayed the threat after hackers claimed to have leaked 4.9 million Gmail logins.

Hackers posted what they claimed were the email addresses, usernames and passwords of nearly five million Gmail customers, exposing them to identity theft.

The data was first posted on a Bitcoin security forum called by a hacker using the name of "tvskit", who claimed that 60% of the entries were valid.

But Google said the data is probably a collection of credentials from different sources, and that only 2% of the credentials were correct and an even smaller proportion could be used to access accounts.

"Our automated anti-hijacking systems would have blocked many of those login attempts," the company's spam and abuse team said.

The team added that the affected accounts were now protected as the account holders had been forced to change their passwords.

The cache of credentials is the third of its kind to appear on Russian internet forums in recent days, according to Ars Technica.

Files that allegedly contained the login credentials of 4.7 million and 1.3 million Yandex accounts were also leaked online.

But both Russian internet firms said the files were full of invalid, obsolete and fake accounts, according to local news reports.
Google warned users not to use the same login credentials for several online services to prevent a single breach enabling hackers to access multiple accounts.

The internet firm said users should create strong passwords, use two-factor authentication and ensure they have recovery options set up correctly.

Yiannis Chrysanthou, security researcher in KPMG's cyber security team, said businesses need to introduce multi-factor authentication instead of blaming weak passwords.

"Catalogues of previously leaked credentials serve as a database for password crackers. This then makes future hacks even easier and quicker;" he said.

Multi-factor authentication
According to Chrysanthou, password cracking research is moving towards intelligent, efficient and content-aware attack techniques, designed to crack most passwords fast.

Every large-scale credential leak, he said, makes cracking passwords easier for the next one and organisations adding password complexity to their policies only slightly delays this process.

"The alternative is to use multi-factor authentication as it improves security by combining multiple forms of identification data," said Chrysanthou.

"Passwords on their own are just one authentication factor because they rely on 'something the user knows'. By adding an 'something a user has' like a smartcard, credential theft and impersonation becomes harder."

Multi-factor authentication will block traditional attacks relying on guessing or stealing a user's password because the password is not sufficient by itself.

"Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable," said Chrysanthou.

No comments: