The NY Times reports on records turned up by Milwaukee-based Hold Security, which claims to have turned up evidence of this massive cache of data, stolen from some 420,000 different websites.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Hold Security, tells the Times. “And most of these sites are still vulnerable.”
The company is not naming victims for various reasons, including the fact that it doesn’t want to encourage attacks on sites that remain vulnerable to hacks. Some of the companies victimized by the hack are already aware that their data has been compromised.
Holden says he plans to alert law enforcement to his company’s findings, but the Times points out that the Russian government has a history of not making cybercrime a priority.
Unlike other hackers who make money by selling stolen credentials on the black market, it appears that most of the info taken by the Russian hackers is being used to send spam.
Holden says the hackers involved in this mass theft began as spammers in 2011. They would buy stolen databases of personal information and get paid to send spam using this information. Earlier this year, Holden says the group to start stealing credentials on its own.
In total, they collected 4.5 billion credentials, though many of them overlap. Hold Security’s review of the stolen data turned up 1.2 billion unique user name/password pairings.
The growing number of attacks shows the importance of added security requirements — like two-factor authentication, where an ID/Password combination is useless unless the hacker has access to a unique code that is generated every time and sent via text-message or through an app.