The entire collection is even bigger - 4.5 billion compromised records - but many of them overlapped. Nevertheless, this is considered to be the biggest haul of login credentials ever made by criminals.
After having researched the matter for seven months, the company has identified the gang holding this cache and has dubbed it “CyberVor” (“vor” meas “thief” in Russian).
Its members all live in a small city in south central Russia, and they are a tight group of less than a dozen men that also know each other offline, Alex Holden, the founder and CISO of Hold Security shared with the New York Times.
"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach," the company explained in a blog post published on Tuesday.
The gang hired a botnet that tested sites for vulnerabilities that might be exploited to steal the contents of the sites' user database(s).
"The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone," the researchers noted. "To the best of our knowledge, they mostly focused on stealing credentials."
The group had apparently no preference when it came to sites to target. Big or small, the only thing that mattered to them that they are asking users to register, and that they were vulnerable.
Holden says that the databases of a lot of popular websites have been thusly compromised, but he didn't name them. The company has been trying to contact a lot of the affected sites' owners, but couldn't possibly reach all of them, so they made a public announcement in the hopes that they will check their website(s) for SQL injection vulnerabilities and patch them if discovered.
"Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach. Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family," the researchers explained.
"4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your e-mail address and, let’s face it, almost everyone re-uses their passwords."
To help individual users affected by this, the company has announced that it will provide a full electronic identity monitoring service within the next 60 days. Also, they are working on creating an online tool which will allow users to (securely) check whether some of their own login credentials are contained in this mega-cache.
"We have learned of a huge issue where it seems like billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it," commented John Prisco, CEO, Triumfant.
As the issue of stolen user information and passwords is unlikely to be solved soon, Eric Cowperthwaite, VP of advanced security and strategy at Core Security, urged sites owners and companies to implement two-factor authentication, and users to start using a password manager and change their passwords frequently.