Criminals in Russia have amassed a huge database of 1.2 billion stolen user names and passwords and half a billion email addresses, a U.S.-based Internet security company said Wednesday.
The data, believed to be the single biggest horde of stolen Internet identity information ever collected, was garnered from attacks that reached into every corner of the Web and hit around 420,000 sites, said Hold Security.
“Before, we were amazed when 10,000 passwords [went] missing. Now we’re in the age of mass production of stolen information,” Alex Holden, the company’s founder and chief information security officer, told IDG News Service in a telephone interview.
Hold Security didn’t identify the websites that were breached, citing confidentiality agreements with clients, but it said they include household names as well as small websites.
The New York Times, which first reported the story, said it hired an independent security expert who verified that the stolen data is authentic.
The sheer scale of the database appears to dwarf similar discoveries in the past. By comparison, the recent theft from Target affected 40 million credit and debit card numbers and 70 million personal records.
That was one of the largest breaches of all time, but the activities of the Russian gang take identity theft to a new level.
“These guys did nothing new or innovative,” said Holden. “They just did it better and on a mass level so it affects absolutely everybody.”
The group behind the attack appears to be based in south central Russia, Holden told The New York Times. He said they didn’t appear to have government links and were a group of around a dozen people in their 20s. With servers based in Russia, the group expanded its activities earlier this year, probably after partnering with a larger organization, he told the newspaper.
Hold Security named the gang CyberVor, after the Russian word “vor,” for thief.
The company said it will provide a service to let people check if their credentials are among those stolen. The information will be available within 60 days, and it says people can pre-register for it now.
The breach will once again spotlight the insecurity of user names and passwords as a method of gaining access to websites, especially as people often use identical or similar credentials for many sites.
Teaching people to use passwords in a secure manner is important, Holden told IDG News Service, but “the real breach” is often of the trust that users place in the company holding their data, he said.
“If there was a way to do it on a large scale using biometrics, that would be better but much more cumbersome,” he said. “Using a cellphone as a secondary form of authentication works, but in some cases that can be compromised.”
Hold Security tracks online breaches on behalf of its customers and has uncovered some major hacks in the past. Last October it uncovered the theft of 153 million credentials from Adobe Systems, and a month later revealed a breach at dating site operator Cupid Media that exposed 42 million records.
This story was updated at 3:27 p.m. PT with additional information.
Updated at 9:27 p.m. PT with the name of the gang.