More than half a billion email addresses, and 1.2 billion username and password combinations, and are in the hands of a Russian crime syndicate, according to a New York Times report.
The database was apparently discovered by researchers at Hold Security. They haven’t disclosed which websites are affected, but there are a whopping 420,000 of them and they range from Fortune 500 firms to “very small websites.” Hold, which is about to present its findings at the Black Hat security conference this week, isn’t naming any of the affected sites just yet because of non-disclosure agreements and the fact that many remain unpatched.
This is probably the biggest illicit stash of personal information that has yet been found. However, as Forbes has pointed out, Hold also charges companies to tell them whether or not their websites have been breached — there’s arguably a potential conflict of interest here, though it’s worth noting that the NYT also brought in its own security expert to verify the database’s authenticity.
According to the NYT report, Hold has found no apparent connection with the Russian government. The criminals, who are located in “a small city in south central Russia,” seem to be generally using the information to send spam on social media accounts, rather than selling it.
Hold said many computers were infected with malware that made them part of a botnet. When those computers’ owners went on to browse the web, the malware probed the defenses of visited sites, using a technique called SQL injection to plunder the sites’ databases where possible. The 1.2 billion figure is the number of unique username-password combinations that the researchers found – that’s after whittling it down from 4.5 billion records, many of which overlapped.
So here we go again: Time to change up your passwords for the gazillionth time, make sure they’re different passwords on different sites, urge service providers to adopt two-factor authentication and hope that passwords will die already in the near future.