What you should know:
On August 5th, it was reported by Hold Security that a Russian hacker group they call CyberVor has amassed over 1.2 billion unique sets of login credentials in the form of email address/username and password combos. These credentials were harvested from 400,000+ websites that were identified as vulnerable to SQL injection attacks and were subsequently compromised. This appears to be the largest breach of user credentials to date and represents a threat worse than Heartbleed. Given the scale of the breach it’s not unlikely that a site you or your users have visited was compromised. Note that this breach affected large and small websites alike; CyberVor attacked any site they could find that was vulnerable to a SQL injection attack. A complete list of compromised sites is not currently available, nor is the list of email addresses CyberVor collected.
For more information about the breach you can read:
Hold Security’s original posting here: http://www.holdsecurity.com/news/cybervor-breach/
And the New York Times report here: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html
What to do:
Envision Consulting recommends that all users change their passwords for any websites that are important to them; this includes financial sites, e-commerce sites with stored payment information, web-based email sites and any other site of personal or commercial importance. Note: It is very important to avoid reusing the same password across multiple sites, especially on financial or email accounts. Wherever available Envision also recommends enabling 2-factor authentication as an extra security measure.
If you have any further question or concerns please contact email@example.com and we will be happy to assist.