Researchers find 1.5 million stolen social networking passwords

A recently discovered stash of 1.5 million stolen passwords and credentials for social networking sites may usher in a new wave of U.K. cybercrime.

A newly discovered stash of more than 1.5 million stolen passwords and account details from social networking sites could, some say, mark the beginning of a new wave of cybercrime in the U.K.

The discovery was made by researchers at iDefense Labs, the cybersecurity intelligence arm of VeriSign Inc. The researchers were trawling through underground trading forums used by cybercriminals, and according to Rick Howard, director of intelligence at the company, they "just stumbled on this."

The credentials were being sold by a user, believed to be a Russian hacker, going by the name of 'kirllos,' with the price varying according to the number of friends associated with the stolen account. For accounts with 10 contacts or fewer, the price was $25 per 1,000 accounts; while $45 would buy 100 accounts each with more than 10 online friends.

Howard said it is too early to call this sort of social networking credential theft a trend, but it may be an indicator of what's to come.

"It is just a blip on the radar screen so far. The volume is what makes it interesting," Howard said. "This Russian hacker looks as if he is ready to move into the west. They usually stick in their own area, mainly because of language skills, but this guy also speaks English." He said this kind of crime had been mainly confined to Russian-speaking countries up to now, but that new discovery indicated a more international operation focusing on English-speaking countries.

He said the researchers had not looked at the stolen passwords and other credentials, but the sheer volume indicated they had been gleaned from several countries. He added that shortly after putting the passwords on sale, the hacker reappeared on the site to say he still had some credentials left for sale, but that he had already sold half of them.

Stolen passwords and account details can be used for a variety of criminal purposes. Criminals can access the account and try to exploit the trust of friends to part with money. Or they can use the personal information contained on many sites to engage in identity theft to set up fraudulent activities such as bank accounts, wire transfer services or online gambling.

They may also use harvest friends' email addresses for spamming or phishing campaigns. And some accounts may even provide criminals with personal information that would help them apply for official documentation, such as a driver's licence or passport, Howard said.

Read more on Identity and access management products