Yet another major online security breach was revealed on Wednesday, June 9. An unknown malware application reportedly collected the private login information of over 3.2 million Windows PCs over the span of two years.
Apple, Amazon, Dropbox, eBay, Facebook, Gmail, LinkedIn, and Twitter users were affected. Hackers gained access to nearly 26 million login credentials from over one million websites, and stored them in a massive database with 1.2 terabytes of private information.
According to a detailed report by Nordlocker, a cybersecurity provider, the malware was transmitted through emails and illegal software, which included a pirated copy of Adobe Photoshop 2018, a Windows cracking tool, and a number of cracked games. Nordlocker created the report in collaboration with a third-party company that specializes in data breach research.
The database of stolen information housed two billion browser cookies and 6.6 million files. In some instances, files included “notepads” with sensitive data such as credit card information and bank login details. There were also around one million images and at least 650,000 Word or PDF files.
The malware that extracted the data snapped a screenshot after infecting the computer, along with a picture using the computer’s webcam. The malware also stole private data from file-sharing clients, messaging apps, email clients, and gaming clients.
On the Nordlocker blog, cybersecurity expert John Sears commented, “The stolen database contained 1.2 TB of files, cookies, and credentials that came from 3.2 million Windows-based computers. The data was stolen between 2018 and 2020. The database included 2 billion cookies. The analysis revealed that over 400 million, or 22 percent of those cookies were still valid at the time when the database was discovered.”
He added, “We want to make it clear: we did not purchase this database nor would we condone other parties doing it. A hacker group revealed the database location accidentally.” The report explained that cookies allow hackers to gain an accurate understanding of the specific interests and behavioural patterns of each victim. Cookies can also be used to gain access to a victim’s online banking accounts.
Alon Gal, co-founder and CTO of security firm Hudson Rock, said in an interview with Wired magazine that this type of user-specific data is often first accrued by stealer malware installed by an attacker aiming to steal cryptocurrency or commit a similar kind of cyber crime.
Gal added, “the attacker then will likely then try to steal cryptocurrencies, and once he is done with the information, he will sell to groups whose expertise is ransomware, data breaches, and corporate espionage.”
Users who are concerned about their online safety or need to check whether their data has been exposed have access to a number of methods. For example, the haveibeenpwnd.com site helps users to find out whether data from their email or phone has been compromised. If their email or phone number is flagged, they are urged to change their password immediately.
NordLocker has not been able to identify the malware used in this particular instance. Gal mentioned to Wired magazine that the most widely used malware during 2018 and 2019 were Azorult and Raccoon. After the malware infected the victim’s PC, the targeted data would be sent to a command server controlled by the attacker.