Hold Security, a Wisconsin information security firm, has revealed to The New York Times that a small Russian hacker group has amassed a humongous database of usernames and passwords. In total, the group allegedly has 1.2 billion username/password combinations, stolen from around 420,000 websites through SQL injection attacks.
Due to disclosure agreements, Hold Security couldn't name the hacker group, nor which sites were affected, claiming some are still potentially vulnerable to further hacks. However, the group did target a diverse range of websites, anything from Fortune 500 companies to smaller websites and businesses.
The south-central Russian group includes just a small number of young men - fewer than a dozen - that know each other in real life. While the group has amassed such a large number of passwords, not many have been sold on the black market. Instead, the group appears to focus on spamming people through social networks, collecting funds from those who request the spam attacks.
The group also appears to make use of botnets to test which websites are potentially vulnerable to SQL injections, later returning to any flagged sites to perform a manual extraction. Through dividing tasks amongst the group members, the team can work efficiently to amass stolen credentials.
This isn't the first time Hold Security has discovered large wads of stolen information being used maliciously. In February of this year, the company discovered 360 million usernames and passwords up for sale in underground forums, as well as 1.25 billion email addresses from multiple breaches.
Through alerting people of large-scale data theft, the company hopes people and other business will place an increased focus on security personal information and online credentials.