August 7, 2014

1.2 Billion Passwords Accumulated by CyberVor Cybercriminals

Carl Leonard Principal Security Analyst

Websense® Security Labs™ has seen reports that a small group of cybercriminals, dubbed CyberVor, has amassed a total of 4.5 billion records. These records pertain to a reported quantity of 1.2 billion unique username and password combinations relating to over 500 million email addresses.

Details of the stolen data and the methods used in the process of collecting the data are somewhat vague at the time of writing this blog.  We have reached out to Hold Security (the original team that discovered the password repository), and we await their response.

Let us review the information that is currently in the public domain:

  • Hold Security is credited with the discovery of the stolen records.
  • A cybercriminal gang amassed over 4.5 billion records, mostly consisting of stolen credentials, 1.2 billion of which are unique and belong to 500 million email addresses (albeit, not all of which are active).
  • Hold Security has suggested that the cybercriminal gang responsible, dubbed CyberVor, has Russian origins.
  • Reports suggest that the modus operandi was as follows: first, the cybercriminals accumulated a collection of stolen credentials from the underground market.  Via spam and malicious redirects, the malicious authors were able to enlist compromised machines into a bot network. This bot network was later used to identify SQL injection vulnerabilities on websites visited by the users of the infected machines. Once a list of vulnerable websites had been derived, those websites were targeted and data was extracted from the targeted organizations. Hold Security claims that up to 420,000 web and FTP sites successfully succumbed to data theft via these means.
  • An explanation of Hold Security's research is available on their website.


As we await further telemetry, we can use the event to remind our readers of the importance of password security and the need for suitably advanced security solutions to protect from data theft.

If you are at Black Hat USA 2014, you can discuss this event with our researchers on booth 135.

You can also follow our Twitter feed as we progress through the conference: https://twitter.com/websense

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.