A gang of hackers in Russia has amassed 1.2 billion sets of stolen user names and passwords, according to a US security company that says it is the largest known hoard of stolen personal information.
The pilfered records, associated with about 500 million unique email addresses, were discovered by Hold Security, which sells information-security and risk-management services. The findings were based on seven months of research, though the company did not give a time period for the theft or name any websites that were hacked.
"We have been collecting information to help our customers stay more secure," said Alex Holden, the founder and chief information security officer of the company based in Milwaukee, Wisconsin. "We found that it was such a great impact to society that we decided to make a public statement."
While the claim by Holden still has to be verified, the details and scope of the attack are not surprising, said J.D. Sherry, vice-president for technology and solutions at security firm Trend Micro in the US.
"The eastern European shadow economy is stocked with treasure troves of data as well as national security assets in the form of elite hackers," Sherry said. "It is plausible that a single syndicate has cornered the market and compromised over a billion credentials over an extended period of time."
The New York Times first reported the attack, saying the records were gathered from 420,000 websites including major listed companies. "They targeted any website they could get, ranging from Fortune 500 companies to very small websites," Holden told the newspaper. "And most of these sites are still vulnerable."
Holden told Bloomberg that the hackers operated from central Russia near the border with Kazakhstan. He declined to provide exact details about their location or identities to avoid jeopardising potential law enforcement operations.
According to Hold Security's assessment, the hacking ring is composed of several young men who work as a team.
"There is a division of labour within the gang," Holden told The New York Times. "Some are writing the programming, some are stealing the data. It's like you would imagine a small company; everyone is trying to make a living."
Data was extracted from websites using a network of compromised computers known as a botnet. Not all of the stolen records were valid or current.
Additional reporting by McClatchy-Tribune