How to harvest 1.2 billion usernames and passwords

Last week it was revealed that Russian hackers harvested 1.2 billion usernames and passwords from numerous websites. You should get really upset. People are continuously lectured by security experts on how to create a secure password with upper case, lower case letters, special characters and numbers. Yet, the lack of security of these websites is outrages.

The simplicity of the attack demonstrates either the complete naïveté of these companies regarding website security or the disregard for protecting the information of their customers. For a non-technical user it might sound very sophisticated and difficult to imagine how to break into these websites. However, here is a simple technical description (for illustrative purposes), which anybody can follow with minimum technical knowledge.

1. Get a list of websites. Where? Alexa.com provides a list of top 1 million websites. They have the highest traffic and the most registered users.

2. Write a script, which scans all the websites and looks for SQL queries embedded in the web pages. SQL is a programming language for databases. Databases are used to store your personal information.

3. Modify the SQL query and test it for its vulnerability to SQL injection. SQL injection is in the top 10 website vulnerabilities. Basic description of SQL injection is here

4. Download all the information from the vulnerable website. Go back to step 3 and repeat until you exhaust your list.

5. Now that you have all the information, break into individual accounts, steal banking information, steal identity, apply for credit cards, make online purchases, sell the information to others.

The software required for this simple exercise can be downloaded free of charge. The detailed description of how to build a secure code can be downloaded for free as well. If you care about your customers, I can help you.