According to US digital security firm Hold Security, a Russian criminal group has perpetrated the biggest hack in living history, stealing over 1.2 billion usernames and password combinations from over 400,000 different websites, many of them high profile.
As it stands, Hold is unwilling to divulge which sites were affected, suggesting that many of them were still vulnerable and that it has signed non-disclosure agreements with others to prevent their image being tarnished. However, to prove they aren't full of hot air, an independent security expert has verified that the database of stolen information appears to be valid.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
While the hack did originate from Russia, Hold security was keen to point out that Russian websites were also attacked and that it doesn't seem to have any involvement with the Russian authorities, despite their recent interest in taking down anonymous networks.
“I can beta-test Wolfenstein… that's the same as hacking right?”
As it stands, the group doesn't appear to be selling the credentials, but instead selling its ability to use them to spam social networks for third parties in exchange for a set fee. However, should the group decide to sell the usernames and passwords, there are many people that would pay handsomely for them.
Surprisingly, Hold Security is claiming to have a lot of information on those responsible, describing them as group of men in their 20s, working like a small company, with dedicated hackers and spammers. It grew out of a small spamming group back in 2011, into the much more versatile one it is today, potentially having expanded after linking up with a much more experienced hacker(s).
However, it was a somewhat traditional SQL injection attack that all of the sites hit were vulnerable to, prompting many to call for new regulations on website security, since users put trust in the owners to protect their data. Clearly that's become much harder in recent years.
All in all, some 542 million unique email addresses have been stolen, with over 1.2 billion records in total, including many hundreds of millions of passwords.
KitGuru Says: Until we know more, it doesn't seem worth to suggest changing your passwords, as if sites are still vulnerable to the hack you could just have your new information seized in turn.
Image source: Columbia Pictures [Thanks NYTimes]