The New York Times reports that a gang of Russian hackers has amassed a collection of 1.2 billion usernames and passwords for online accounts, along with 500 million email addresses, gained from 420,000 different websites.
This staggering trove of user information was first uncovered by Milwaukee, Wis.-based cybersecurity firm Hold Security, which was also responsible for uncovering a hack that exposed millions of customers records held by Adobe last year
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Hold Security founder Alex Holden told the Times. “And most of these sites are still vulnerable.”
Hold Security has said that the hackers haven’t appeared to sell many of the records online. Rather, they use the information to gain access to individual users’ social media accounts for sending out spam on behalf of their clients.
The group allegedly consists of only a handful of people operating out of city in central Russia. They started as small-scale spammers in 2011, but eventually graduated to using botnets of computers secretly loaded with a piece of software that tests every website the infected machine visits for its susceptibility to a commonplace hacking technique called SQL injection. Once the group knows that a site’s security can be compromised, they would then attack it and gain all the information they could.
The report did not name the group nor did it identify the specific city in which they are based.
Hold Security hasn’t made public which websites were compromised, a list that supposedly runs the gamut from small, independent operations to major sites people around the world use on a daily basis, due to non-disclosure agreements and because many of the sites in question remain vulnerable to copycat attacks from other hackers.