A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security – a US firm specialising in discovering breaches.
Hold Security described the hack as the “largest data breach known to date”.
It claimed the stolen information came from more than 420,000 websites, including “many leaders in virtually all industries across the world”.
Hold Security did not give details of the companies affected by the hack.
“They didn’t just target large companies; instead, they targeted every site that their victims visited,” Hold Security said in its report.
“With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”
The New York Times, which first reported the findings, said that on its request “a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic”.
“Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information,” the paper said.
The paper added: “Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.”
Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack.
The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market.
“These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems,” Hold Security said.
The hackers also got access to data from botnets – a network of computers infected with malware to trigger online fraud.
Hold Security said the botnets helped the hacking group – which it dubbed CyberVor – identify more than 400,000 websites that were vulnerable to cyber attacks.
“The CyberVors used these vulnerabilities to steal data from these sites’ databases,” the firm said.
“To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords.”