A ring of Russian criminals has acquired 1.2 billion username and password combinations, as well as credentials for more than 500 million email addresses, amassing the largest known collection of stolen Internet credentials.
Cybersecurity firm Hold Security discovered that the group gathered confidential material from 420,000 websites, including household names and small Internet sites, the firm said in a blog post. The crime ring, based in a small city in south central Russia, hacked websites inside Russia as well as major Fortune 500 companies abroad, the New York Times reports.
An independent security expert analyzed the database of stolen credentials at the request of the Times and confirmed Hold Security’s claims were authentic.
The Russian crime ring found hundreds of thousands of vulnerable websites and attacked their coding to steal credentials from their databases, Hold Security said.
“[The] hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the chief information security officer of Hold Security told the Times. “And most of these sites are still vulnerable.”
The criminals have been using the stolen information to send spam on social networks like Twitter, collecting fees for their work. However, it has yet to sell many of the records on the potentially lucrative black market.
More Must-Read Stories From TIME
- How an Online Pharmacy Sold Millions Worth Of Dubious COVID-19 Drugs — While Patients Paid the Price
- Why Literally Millions of Americans Are Quitting Their Jobs
- Meet the Women Participating in the Study That Could Change Future of Breast Cancer
- Inside the Battle for the Hearts and Minds of Tomorrow's Business Leaders
- An Innovative Washington Law Aims to Get Foreign-Trained Doctors Back in Hospitals
- Why the Ex-Husband of a Missing Chinese Billionaire Is Risking All to Tell Their Story
- Timothée Chalamet Wants You to Wear Your Heart on Your Sleeve