A gang operating in Russia is reportedly in possession of a staggering 1.2 billion usernames and passwords in a massive hack involving more than 420,000 websites, including many operated by high-profile companies.
Online security firm Hold Security reported details of the hack on Tuesday, describing it as “the largest data breach known to date.”
In a report titled “You have been hacked,” Hold Security said the gang, which it dubbed CyberVor (‘vor’ means ‘thief’ in Russian), had initially acquired databases of credentials from other hackers operating on the black market.
“These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems,” the firm said.
CyberVor later changed its approach, switching to botnet-based methods to build its collection of stolen data. According to the Milwaukee-based security firm, which has been researching the case for the last seven months, these botnets helped the gang to identify around 420,000 vulnerable websites.
“Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach,” the security firm warned, adding, “Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.”
In its report, Hold Security touted a number of its own services as solutions for bolstering website security, securing data online, and discovering whether your data is in the gang’s possession. While its apparent eagerness to promote its services may cause some to raise an eyebrow over the veracity of its findings, the NY Times reported that an independent online security expert acting on its behalf had examined Hold Security’s research, including the stolen data, and confirmed it to be genuine.
The NY Times said that Hold Security declined to make public any of the affected companies, citing “nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable,” adding that some of them had been told their records were among the stolen data.
The security firm has a track record for uncovering similar high-profile incidents, including the Adobe attack last year involving 38 million accounts. It also identified and tracked the Target security breach earlier this year which saw login and password information for around 360 million accounts posted online.
Following Hold Security’s latest findings, it could be time for you to embark on yet another laborious password-changing session. When trying to figure out a new one, you should keep these tips on how to create a rock-solid password in mind. Enabling two-step verification with online accounts offering the option would also be a wise move.