Russian hackers amass 1.2B stolen Web credentials

Criminals in Russia have amassed a huge database of 1.2 billion stolen user names and passwords and half a billion email addresses, a U.S.-based Internet security company said Wednesday.

The data, believed to be the single biggest horde of stolen Internet identity information ever collected, was garnered from attacks that reached into every corner of the Web and hit around 420,000 sites, said Hold Security.

“Before, we were amazed when 10,000 passwords [went] missing. Now we’re in the age of mass production of stolen information,” Alex Holden, the company’s founder and chief information security officer, told IDG News Service in a telephone interview.

Hold Security didn’t identify the websites that were breached, citing confidentiality agreements with clients, but it said they include household names as well as small websites.

The New York Times, which first reported the story, said it hired an independent security expert who verified that the stolen data is authentic.

The sheer scale of the database appears to dwarf similar discoveries in the past. By comparison, the recent theft from Target affected 40 million credit and debit card numbers and 70 million personal records.

That was one of the largest breaches of all time, but the activities of the Russian gang take identity theft to a new level.

“These guys did nothing new or innovative,” said Holden. “They just did it better and on a mass level so it affects absolutely everybody.”

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is martyn_williams@idg.com