A Russian crime ring has accumulated over 1 billion Internet credentials, the New York Times is reporting. The hacking ring, apparently based in a small city in south-central Russia, is said to have 1.2 billion stolen usernames and passwords, including access to 500 million email addresses. The discovery was made by Hold Security, a Milwaukee, Wisc. firm specializing in Internet security and discovering significant hacks. According to Hold Security, the stolen information was gathered from over 420,000 websites. Hold Security would not name the victims. The Times has independently confirmed the findings.
Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites.
Alex Holden, the founder and chief information security officer of Hold Security to the New York Times
It’s not the first major breach of personal online data, but it appears to be the largest, by far. Some 40 million Target users had their personal information hacked last December, and earlier this year the Canadian Revenue Agency shut down its tax return website after it was revealed that many users had their information, including social insurance numbers, hacked. According to Hold Security, the data collected by the Russian ring has not been sold. Instead, they are using the information to spam social networks on behalf of other groups for a fee.
Companies that rely on usernames and passwords have to develop a sense of urgency about changing this. Until they do, criminals will just keep stockpiling people’s credentials.
Avivah Litan, a security analyst at the research firm Gartner to the New York Times