A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data but was not allowed to discuss it publicly said some big companies were aware that their records were among the stolen information.
“Hackers did not just target U.S. companies; they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
Websites inside Russia had been hacked too, and Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
Like other computer security consulting firms, Hold Security has contacts in the criminal hacking community and has been monitoring and even communicating with this particular group for some time.
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.
Holden said his team had begun alerting victimized companies to the breaches but had been unable to reach every website. He said his firm was also trying to come up with an online tool that would allow individuals to securely test for their information in the database.