A cybersecurity firm says it has uncovered stolen credentials from 360 million accounts that are available for sale on online black markets, though it is unsure where they came from or what they can be used to access.
The discovery could represent more of a risk to consumers and companies than stolen credit-card data because of the chance the sets of user names and passwords could open the door to online bank accounts and virtually any other type of computer system.
Alex Holden, chief information security officer of Hold Security, said on Tuesday that his firm obtained the data over the past three weeks.
"The sheer volume is overwhelming," said Holden, whose firm last year helped uncover a data breach at Adobe Systems in which tens of millions of records were stolen.
Holden said he believed the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breach known to date.
He said he believed the credentials were stolen in breaches that had yet to be publicly reported. The companies attacked might remain unaware until they were notified by third parties who find evidence of the hacking, he said.
"We have staff working around the clock to identify the victims," he said.
He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.
The trove of credentials includes user names, which are typically e-mail addresses, and passwords that in most cases are in unencrypted text.
Holden said that in contrast, the Adobe breach, which he uncovered in October, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.
The e-mail addresses are from major providers such as AOL, Google, Microsoft and Yahoo and almost all Fortune 500 companies and non-profit organisations. Holden said he alerted one major e-mail provider that was a client. He declined to identify the company, citing a non-disclosure agreement.
Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because such breaches were on the rise.
She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.
"They can get access to your actual bank account. That is huge," Bearfield said. "That is not necessarily recoverable funds."
After recent payment-card data breaches, including one at US retailer Target, credit card companies said that consumers bear little risk because they are refunded for fraud losses.
Wade Baker, a data breach investigator with Verizon Communications, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers had gotten better at identifying that type of breach and moving to prevent crooks from making fraudulent transactions, he said.