In what’s believed to be the largest stockpile of stolen Internet credentials in history, a Russian hacking ring has gathered more than 1.2 billion unique Internet credentials, according to Web security experts. The relatively small group has reportedly collected passwords along with user names and email addresses.
“This year is already on track to be the year of the mega-mega breach,” Orla Cox, director of security response for the anti-virus software company, Symantec.
The news was first reported by The New York Times, which says the group attacked all kinds of websites to steal data: large and small, and in countries from Russia to the U.S. and elsewhere.
Milwaukee-based Hold Security confirms to NPR it discovered the breach. The confidential material was gathered from more than 420,000 websites, ranging from small operations to those of major corporations.
Hold Security hasn’t revealed which businesses are vulnerable, in part because of nondisclosure agreements and in part because many of their websites remain vulnerable. Security experts say it’s unclear what the hackers will do with the data, so it’s smart to go ahead and change your passwords.
“I think all Internet users should assume they’ve been impacted by this,” says Cox. “Clearly these aren’t opportunists, they aren’t hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years.”
As for more details about the hacking gang, the Times says it has grown more ambitious since starting out as a spam operation in 2011.
From the Times:
“The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.”