Today , federal officials announced new charges relating to the 2014 hack of Yahoo , alleging a conspiracy between criminal hackers and the Russian Federal Security Agency ( or FSB ) . The indictment names two FSB agents — Igor Suschin and Dmitry Dokuchaev — who allegedly contracted two criminal hackers — Aleksey Belan and Karim Baratov — to compromise Attack.Databreach Yahoo ’ s database , which included both US military officers and Russian journalists believed to be of interest to the FSB . Baratov was arrested yesterday in Canada , Department of Justice officials say . “ There are no free passes for foreign , state-sponsored criminal behavior , ” Assistant Attorney General McCord told reporters at a press conference . When Yahoo first disclosed the breach in September , the company attributed the attack to “ a state-sponsored actor , ” a claim that some security experts found questionable at the time . Subsequent reports found that the Yahoo database was sold Attack.Databreach a number of times , suggesting a criminal profit motive rather than intelligence gathering . According to the Department of Justice , that was a result of the FSB ’ s collaboration with its criminal contractors , who sold much of the stolen information after it had been handed over . One of the contractors also allegedly searched the accounts for gift cards and other financial info . Yahoo ’ s database was breached Attack.Databreach two separate times during the period — once in August 2013 and again in late 2014 , revealing account details for hundreds of millions of users each time . Today ’ s charges deal only with the 2014 breach Attack.Databreach , which compromised Attack.Databreach 500 million accounts . Many blamed Yahoo CEO Marissa Mayer for refusing to invest in more robust security measures . Mayer later acknowledged the error , and gave up her annual salary , bonus and equity grant for 2016 as a result . Details of the breaches became public only after Yahoo had struck a deal to be acquired by Verizon . News of the security issues caused significant friction in the deal , ultimately causing Verizon to lower its purchase price by $ 350 million , to $ 4.4 billion dollars .

A malicious website initially set up to extort Attack.Ransom visitors to pay a cryptocurrency ransom Attack.Ransom has changed its course . Instead of demanding payment Attack.Ransom via Bitcoin , Ethereum , Bitcoin Cash or Litecoin in exchange for not leaking your password on the internet , the site now hijacks your computer ’ s processing power to mine cryptocurrency in the background . Designed as a copy of the Have I Been Pwned attack , the site began by asking users to enter their emails to see if their password has been compromised Attack.Databreach . Unfortunately , if your password was breached Attack.Databreach , the site demanded Attack.Ransom a “ donation ” of $ 10 by cryptocurrency to not publish your password in plain text on the web . Up to 1.4 billion passwords may have been breached Attack.Databreach , but it ’ s unclear how accurate that figure is . However , because it may be easier — and safer — to change your password than pay the ransom Attack.Ransom , as The Next Web noted , the site shifted its focus from demanding ransomware payments Attack.Ransom to taking over your PC ’ s processing power to mine for cryptocurrency in the background . The publication also confirmed that the malicious site did “ have a database with legitimate passwords , ” but that not all compromised passwords were stored in plain text . The Next Web did not reveal the site ’ s address in its report , citing security reasons , but noted that it doesn ’ t appear that any user had made payment . This is the latest ransomware in recent months that demand Attack.Ransom cryptocurrency as a form of payment . Prior to this incident Attack.Ransom , Thanatos encrypted files on a user ’ s PC by hijacking it using a brute force method . If you want to regain access to those files , you had to send payment Attack.Ransom via cryptocurrency to get a key to decrypt your files . However , at the time , there didn ’ t appear to be a proper decryption key even if you paid . According to a recent Google report , extortionists made out with $ 25 million in just two years , and cryptocurrency was the preferred way to get paid Attack.Ransom . Hackers are also changing the game when it comes to data theft Attack.Databreach . Rather than leaking Attack.Databreach the information to the dark markets , an IBM X-Force Intelligence Index report revealed that hackers prefer to hold files hostage in exchange for a ransom payment Attack.Ransom .

2016 brought massive password dumps Attack.Databreach , resulting from the highly publicized Yahoo and LinkedIn breaches Attack.Databreach that exposed Attack.Databreach millions of users ’ passwords to the public and for sale on the dark web . Research has revealed that about 35 % of the leaked LinkedIn passwords were already known from previous password dictionaries , making them vulnerable to other accounts . Researchers at behavioral firewall company Preempt took a look at the LinkedIn credentials and also found that 65 % of the leaked passwords can be easily cracked with brute force using standard off-the-shelf cracking hardware . The study also looked at general password intelligence and found that password rules , which many enterprises employ , can allow users to create weak passwords that can easily be cracked—and many individuals use the same password for multiple accounts , signaling a password epidemic amongst organizations and their users . “ One thing is certain , any person that used the same password for Linkedin as they did for their work account ( or other account ) , is currently vulnerable within these other accounts , ” said Preempt researcher Eran Cohen , in a blog . “ Unfortunately , there are many users that don ’ t make that connection . Their LinkedIn account was breached Attack.Databreach , so they just change their LinkedIn password , not realizing that if they are using that same password elsewhere , they are actually exposed Attack.Databreach in all of those places as well . For IT security teams , this is an unknown vulnerability they have to deal with. ” Overall , the examination showed that low-complexity passwords can be cracked in less than a day , medium-complexity passwords are cracked in less than a week and high-complexity password are cracked in less than a month . “ Users reuse passwords . They rotate them . Add a digit to them . And even use identical or share passwords with others , ” said Cohen . “ As data scientists , it is our job to go deeper , and identify the common human behavior . For example , we ’ ve seen how local culture impacts passwords , where local football team names are commonly used as passwords . The problem is that only about 1 % of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken. ” To stay safe , companies should use a password policy to enforce complexity and password expiration ; require longer passwords ( 8 bad , 10 ok , 12 good ) ; implement a context-based solution to train and enforce password policy based on users ' activity ; add additional factors to authenticate users ; and educate people to avoid sharing passwords with other employees and cloud services . They should also avoid the use of simple patterns , personal data or common words ; and employees shouldn ’ t repeat passwords when a password expires ( enumeration included ) .

The databases were stolen Attack.Databreach between 2011 to 2017 from widely visited forums providing information about Bitcoin mining and trading . The combined number of data stolen Attack.Databreach from these forums is more than 12,000,000 including 536,727accounts from MerlinsMagicBitcoin.com which suffered a data breach Attack.Databreach in January 2017 , 514,409 accounts from BitcoinTalk.org forum which was hacked Attack.Databreach in May 2015 , 568,357 stolen Attack.Databreach from BTC-E.com back in October 2014 , 21,439 accounts from BTC4Free.com which was hacked Attack.Databreach in January 2014 , 21,439 accounts from BTC4Free.com which was also hacked Attack.Databreach in January 2014 . 3,153 Bitcoin.Lixter.com which was breached Attack.Databreach in September 2014 , 1,780 BitLeak.net accounts stolen Attack.Databreach back in March 2014 , 28,298 DogeWallet.com accounts stolen Attack.Databreach in January 2014 , 61,011 MtGox.com stolen Attack.Databreach in June 2011 , 34,513 BitsCircle.com ( breach Attack.Databreach date unknown ) 10,855,376 BitcoinSec from 2014 breach Attack.Databreach and 3,149 accounts from TheBitcoinShop.pixub.com ( breach Attack.Databreach date unknown ) . In some cases , the passwords have been decrypted while some are using SHA1 hash which is easy to decrypt since Google security researchers have already broken the SHA-1 web security tool last month . The price set for this data is USD 400 ( BTC 0.3817 ) It must be noted that BitcoinTalk.org and BTC-E.com are two of the most important bitcoin related platforms having their data sold on the dark web since 2016 by several other vendors . However , we are not sure about rest of the platforms . Either way , if you have an account on any of the forums mentioned above change your password asap . Also , some of the forums discussed aren ’ t active anymore ; therefore , the relevance of their data is out of the question .

The breach indicates even more capable Asian states are struggling to confront cyber threats . On February 28 , Singapore ’ s defense ministry ( MINDEF ) disclosed that a breach Attack.Databreach in an Internet-connected system earlier this month had resulted in the personal data of 850 national servicemen and employees being stolen Attack.Databreach . Though the impact of the breach was quite limited , it nonetheless highlights the difficulties that Singapore faces as it confronts its growing cyber challenge . According to MINDEF , the I-net system used by personnel to access the Internet through terminals at the ministry and other facilities was breached Attack.Databreach by an attack Attack.Databreach in early February . While personal data , including identification numbers , phone numbers , and date of birth , were believed to have been stolen Attack.Databreach during the incident Attack.Databreach , the ministry said no classified information was compromised Attack.Databreach because it is stored on a separate system not connected to the Internet . As I have noted before , it has been paying keen attention to the cyber domain as a developed , highly-networked country . Singapore is particularly vulnerable as it relies on its reputation for security and stability to serve as a hub for businesses and attract talent . Indeed , last year , Deloitte found that Singapore was among the five Asian countries most vulnerable to cyber attacks ( See : “ Singapore Among Most Vulnerable to Cyberattacks in Asia ” ) . In response , Singapore has unveiled a series of initiatives aimed at boosting cybersecurity , including creating new institutions , safeguarding critical infrastructure , training cyber security personnel , and collaborating more with the private sector ( See : “ Singapore ’ s Cyber War Gets a Boost ” ) . And as I noted before , Prime Minister Lee Hsien Loong also outlined Singapore ’ s overall cybersecurity strategy at the inaugural Singapore International Cyber Week in October last year ( See : “ Singapore Unveils New ASEAN Cyber Initiative ” ) . Nonetheless , the cyber attack this week is a reminder that even the more capable states in the Asia-Pacific continue to struggle with confronting threats in the cyber realm . This was the first publicly disclosed cyber attack that MINDEF has experienced , and the ministry has described it as “ targeted and carefully planned , ” with the purpose of gaining access to official secrets . And based on what Singaporean officials have discovered so far , the attack appears to be less like the work of regular hackers and more along the lines of sophisticated state or state-backed actors