Here’s What Happens When Your Data Is in the Hands of a Russian Hacking Collective

The Citizen's Guide to the Future
Aug. 6 2014 5:33 PM

Here’s What Happens When Your Data Is in the Hands of a Russian Hacking Collective

A data fog.

Photo from Shutterstock/Maksim Kabako.

Revelations on Tuesday about an enormous trove of stolen personal data collected by a hacking group in Russia has been making news for its sheer enormity. The New York Times and security firm Hold Security LLC report that the group has 4.5 billion sets of usernames and passwords.

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

There are questions about the report, though. First of all, Hold Security isn’t disclosing any of the 420,000 websites that the Russian hackers got data from. Instead, the company is offering a service for $120 that allows people to check whether any of their data has been compromised—which seems unattractively mercenary, given the magnitude of the situation. Additionally, Hold Security doesn’t really make it clear how much of the data was originally stolen by the Russian hackers as opposed to being purchased on the black market. This distinction is important, because if the hackers have just been buying up old login credentials, there’s less of a danger that the credentials will work.


Strangest of all, the Times reports that the hackers are mainly just using the credentials to hack social media accounts and spam them. Which is weird, because when criminals steal valuable things, they usually try to sell them. Or if they steal things that give them access to money they take the money. So maybe the credentials aren’t that valuable on their own.

Whatever is going on, though, the sheer enormity of the dataset makes it possible that the hackers could apply analysis to extract unusual information. For example, the credentials include 542 million email addresses, which might mean that the hackers can find multiple passwords associated with a single email address within their data, and start making more educated guesses about the types of passwords a given user tends to use.

Think about it. In the wake of information about the Heartbleed vulnerability you probably changed passwords on affected sites (you did, right?), but maybe you also still use some of those old passwords on other accounts that weren’t affected and therefore didn't get changed. The fact that the Russian hackers have old data doesn't necessarily mean it’s not useful since they have so freakin’ much of it.

So we’re all definitely screwed, right? Not totally! The issue here is that the traditional cybersecurity system relying on just usernames and passwords isn’t enough anymore. The key is adding extra layers of protection. Using a password manager, or at least randomly generating strong passwords, eliminating duplicate passwords used on multiple accounts, and adding two-factor (or multi-factor) authentication everywhere it’s offered are all readily available steps that can help you protect yourself.

Whether or not this turns out to be a historic hack, it’s certainly raising awareness about how important personal cybersecurity is. And it’s giving us a sense of scale of just how much data hackers can collect. As it turns out, quite a bit! But what exactly they’ll do with it remains to be seen.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.



The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

Michigan’s Tradition of Football “Toughness” Needs to Go—Starting With Coach Hoke

Does Your Child Have “Sluggish Cognitive Tempo”? Or Is That Just a Disorder Made Up to Scare You?

The First Case of Ebola in America Has Been Diagnosed in Dallas

Windows 8 Was So Bad That Microsoft Will Skip Straight to Windows 10


Mad About Modi

Why the controversial Indian prime minister drew 19,000 cheering fans to Madison Square Garden.

Building a Better Workplace

You Deserve a Pre-cation

The smartest job perk you’ve never heard of.

Don’t Panic! The U.S. Already Stops Ebola and Similar Diseases From Spreading. Here’s How.

Parents, Get Your Teenage Daughters the IUD

The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
  News & Politics
Sept. 30 2014 6:59 PM The Democrats’ War at Home Can the president’s party defend itself from the president’s foreign policy blunders?
Sept. 30 2014 7:02 PM At Long Last, eBay Sets PayPal Free
Sept. 30 2014 7:35 PM Who Owns Scrabble’s Word List? Hasbro says the list of playable words belongs to the company. Players beg to differ.
  Double X
The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
  Slate Plus
Behind the Scenes
Sept. 30 2014 3:21 PM Meet Jordan Weissmann Five questions with Slate’s senior business and economics correspondent.
Brow Beat
Sept. 30 2014 4:45 PM Steven Soderbergh Is Doing Some Next-Level Work on The Knick
Future Tense
Sept. 30 2014 7:00 PM There’s Going to Be a Live-Action Tetris Movie for Some Reason
  Health & Science
Medical Examiner
Sept. 30 2014 6:44 PM Ebola Was Already Here How the United States contains deadly hemorrhagic fevers.
Sports Nut
Sept. 30 2014 5:54 PM Goodbye, Tough Guy It’s time for Michigan to fire its toughness-obsessed coach, Brady Hoke.