Russian Hackers Hoard Over One Billion Passwords

Today, Hold Security revealed in a report for the New York Times that a group of Russian hackers have amassed one of the largest collections of usernames, passwords, and emails in the history of the internet itself.


Photo: GlebStock / Shutterstock

According to CEO of Hold Security Alex Holden, around 1.2 billion (that’s billion with a “b”) credential combos, along with 500 million email addresses were pulled from a cache of somewhere in the neighborhood of 420,000 different websites sourced out of just about every connected country around the globe.

This is far and away the largest password pull to be amassed in the world of underground hacking, and marks a significant milestone in the timeline of online security. Hold Security refused to name any names of affected sites, both due to several non-disclosure agreements, as well as the fact that many of the companies who had their data pilfered still have massive holes in their architecture which would allow less-skilled hackers to target them if knowledge of their vulnerabilities somehow became public.

“Most of these sites are still vulnerable,” said Mr. Holden, emphasizing that the hackers continue to exploit the vulnerability and collect data.

The gang responsible for the heist has been under a close microscope for the past several months as Hold attempted to track everything from their bank accounts to the hierarchy within their ranks.

Based out of a city in southern central Russia, just outside of the borders between Mongolia and Kazakhstan, the whole operation is comprised of less than a dozen 20-somethings who all know each other in real life (or IRL, as they say online), and show up to “work” each day where they punch a clock, get paid a common salary, and get commissions based on each breach they successfully execute on their own.

“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm. “Until they do, criminals will just keep stockpiling people’s credentials.”

Each portion of the gang is separated up into sectors, with each compartment of code monkeys taking on a different portion of the task of finding weak points in large websites, exploiting the weakness, and bringing the data back down to a server located in the same country.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

Holden refused to disclose the names of the web portals that have been affected by the crack, however considering the statistics of Internet usage from around the globe, there’s about a one-in-three shot you or someone you know on your network has had their information compromised.

He did however allude to a tool that he and his team have in the works that should allow you to query whether or not your information has been stolen as a part of the historic heist. No word on when we can expect its release, and until then the security firm suggests that you change all passwords on every account you own while more information about the problem leaks out over the next few months.