Biggest-ever hack: Russian crooks 'grab 1.2 billion user names and 500 million e-mail addresses'


By Noel Young, Correspondent

August 6, 2014 | 4 min read

A Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses,the New York Times has revealed.

Alex Holden: Sites are still vulnerable

It is the largest known collection of stolen Internet credentials, the paper says.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.

Hold Security's record is impressive. Last year they uncovered the theft of tens of millions of records from Adobe Systems. In February, Hold Security also uncovered a database of 360 million records for sale collected from multiple companies.

Hold Security would not name the victimsof the latest Russian capture, said the NYT, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable.

A security expert unconnected with Hold Security analysed the database of stolen credentials for the NYT and confirmed it was authentic.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Holden, decided to make details of the attack public this week to coincide with discussions at an industry conference.

He also wanted to let the many small sites he will not be able to contact know that they should look into the problem.

The hacking ring is based in a small city in south central Russia, said the Times , the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally

Their computer servers are thought to be in Russia.

Websites inside Russia had been hacked, too, and Holden said he saw no connection between the hackers and the Russian government.

He said he planned to alert Russian law enforcement after making the research public.

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for doing so.

Many worry that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, were stolen from the US retail giant Target by hackers in Eastern Europe.

In October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including social security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

But the discovery by Hold Security dwarfs those incidents, said the Times.

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week.

The average total cost of a data breach to a company increased 15 percent this year from last year, to $3.5m per breach, from $3.1m, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.

Content created with:

Hold Security

Find out more


Industry insights

View all
Add your own content +