Russian Hacker Group Steals More Than a Billion Passwords

By
Photo: Patrick Lux/2013 Getty Images

On Tuesday, there was some good news for Target and bad news for just about everyone else who uses the internet. The retailer is about to become just one name on a long list of hacked companies, as a Russian crime ring has assembled the largest known collection of stolen online credentials. The New York Times reports that the records were discovered by Hold Security, a private security company, and an unaffiliated security expert confirmed that they are authentic. Hold Security said the group has 1.2 billion username-and-password combinations, and more than 500 million email addresses, but it would not name the affected sites. "Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," said Alex Holden, Hold Security's founder and chief information security officer. "And most of these sites are still vulnerable."

The group operates out of a small city in south-central Russia and consists of less than a dozen men in their 20s. It appears they're being hired by other groups to spam social networks like Twitter using the stolen information. The Times helpfully points out that this isn't the smartest business move, noting that "selling more of the records on the black market would be lucrative."

Holden said he wanted to make the information public now so smaller sites he's unable to contact can begin looking into the problem. As Forbes reports, when The Times posted its story, Hold Security had a notice on its site about a new breach-monitoring service that can "check to see if your company has been a victim of the latest CyberVor breach" for a small monthly fee. It's subsequently been replaced by a "coming soon!" notice, and Holden told The Times that the firm is working on an online tool that would let individuals determine if their information is in the stolen database. Since we don't have any concrete information about the affected companies, all internet users can do for now is ponder whether they should finally stop using the password "12345."