Russian hackers have collected over 1 billion Internet credentials, security firm says

A Russian crime ring has accumulated over 1 billion Internet credentials, the New York Times is reporting.

The hacking ring, apparently based in a small city in south-central Russia, is said to have 1.2 billion stolen usernames and passwords, including access to 500 million email addresses.

The discovery was made by Hold Security, a Milwaukee, Wisc. firm specializing in Internet security and discovering significant hacks. According to Hold Security, the stolen information was gathered from over 420,000 websites. Hold Security would not name the victims.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Hold Security, told The Times. “And most of these sites are still vulnerable.”

It's not the first major breach of personal online data, but it appears to be the largest, by far. Some 40 million Target users had their personal information hacked last December, and earlier this year the Canadian Revenue Agency shut down its tax return website after it was revealed that many users had their information, including social insurance numbers, hacked.

According to Hold Security, the data collected by the Russian ring has not been sold. Instead, they are using the information to spam social networks on behalf of other groups for a fee.

The leak reinforces the fact that online users should protect their personal information and change their usernames and passwords frequently or risk identity theft. Credit cards can easily be cancelled, but more valuable information – like email addresses and social insurance numbers – can be used for identity theft. Frequent online users should also never use the same password for multiple sites.

According to The Times, the Russian ring at the centre of the theft collected over 4.5 billion records earlier this summer. After sorting through the data to remove duplicates, they were left with 1.2 billion unique records, and some 542 million email addresses.

Holden says Hold Security has been in contact with many of the victimized website companies, but the firm has not reached all of them.

“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” Avivah Litan, a security analyst at the research firm Gartner, told The Times. “Until they do, criminals will just keep stockpiling people’s credentials.”