At least 1.2 billion Internet usernames and passwords were stolen by a gang of Russian hackers, according to The New York Times on Tuesday. Along with the usernames and password combinations, security researchers say that 500 million email addresses were also stolen. Russian hacking networks have been deemed the "untouchables of the internet" by Trend Micro Chief Cybersecurity Officer Tom Kellermann, because Russia remains a safe zone for these criminals.
Politico reported that this is the biggest online personal information haul in history. The danger is reportedly what these hackers can deduce from the stolen data. CrowdStrike General Counsel Steve Chabinsky told Trend Micro that people usually don't follow the advice of security experts and use variations of the same password for different online accounts. Hackers know this and will use these usernames and passwords to attempt to breach other accounts.
The stolen data and "CyberVor" gang, also known as cyber thief in Russian, was discovered by Hold Security, an American company out of Milwaukee, and was then verified by an independent security expert. Hold Security firm isn't specific about the hackers identity, but they are reportedly not connected to the Russian government and include about a dozen individuals from south-central Russia. The firm is also not naming any of the victims or how exactly the hackers obtained the data. Alex Holden, the founder and chief information security officer of Hold Security, said that he wanted to "avoid discussing details about the hackers whereabouts and names in case law enforcement has an ongoing investigation."
Apparently, the huge stockpile of data was stolen from hundreds of thousands of websites. Hold Security says the hackers hit 420,000 web addresses for large and small websites and includes leaders in all industries from across the world, as well as small and personal websites. A security analyst with Gartner says that this type of theft has been documented for a long time, but the amount of information stolen in this case is notable. Reportedly, the cybercriminals are only using the data so far to send out spam on social media sites.
Darren Hauck for The New York Times is telling Internet users to assume their personal information was stolen. There is no way right now to find out for sure, but Hold Security is working on a tool that will allow consumers to find out if their information has been stolen. In the meantime, individuals are encouraged to at least change their passwords for sites that may contain sensitive information like financial or health data and to create unique passwords for each site.