In February, the cybersecurity firm Hold Security LLC reported on an enormous stockpile of 360 million stolen account credentials. It was a staggering and unprecedented number. But now the company has released new research revealing a Russian hacking group that has stolen 1.2 billion sets of unique login credentials, and 4.5 billion records in all. It’s hard to even comprehend.
Hold Security told the New York Times that the data comes from more than 420,000 websites big and small, but the firm says it isn’t listing the sites right now because doing so could pose additional risks to users. (Plus in some cases it is bound by nondisclosure agreements.) The Times used a third-party security expert to assess Hold Security’s findings and found them to be accurate.
The Russian hacking group seems to be based with its servers in central Russia, and is composed of about 10 young men who work together on programming and data collection. The group seems to have started in 2011 but ramped up productivity in April using a vast network of botnets to infect users with malware and monitor their browsing. If they go to sites that the botnets know are vulnerable to attack the hackers can collect users’ credentials. Alex Holden, Hold Security’s founder and chief information security officer, told the Times, “There is a division of labor within the gang. … It’s like you would imagine a small company; everyone is trying to make a living.”
The 1.2 billion unique credentials include 542 million email addresses, which is really a lot. But what is even a lot anymore? It seems like these numbers will just keep growing unless the mainstream approach to account security changes.