A Russian criminal organization has reportedly pulled off a major Internet heist, collecting confidential information associated with more than a billion website accounts.
The stolen data includes more than 1.2 billion usernames and password combinations and more than 500 million email addresses, security analysts told the New York Times, which broke the story Tuesday. The incident is the largest known theft of such information in world history, according to USA Today.
Records uncovered by Milwaukee's Hold Security and verified as authentic by a separate firm show that the information was culled from more than 420,000 websites, ranging from those of big companies to little-known sites, the Times reported.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, founder and chief information security officer at Hold, told the Times. “And most of these sites are still vulnerable.”
Holden said that the gang used malicious code to access the websites's SQL databases and steal the information.
Continue Reading Below
"We thought at first they were run-of-the-mill spammers," he said, according to USA Today. "But they got very good at stealing these databases."
The fact that the gang is based in Russia -- though Hold said it does not believe the crime ring has ties to the Russian government -- poses problems for potential enforcement action.
"The perpetrators are in Russia so not much can be done. These people are outside the law," Holden told USA Today.
So far it appears that the gangs have not sold much of the information online, having instead opted to help distribute spam messages, the Times reported.
Avivah Litan, a security analyst at the technological research firm Gartner, told the Times that corporations need to take real steps to avoid such breaches in the future.
“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” Litan said. “Until they do, criminals will just keep stockpiling people’s credentials.”