A group of Russian hackers has reportedly amassed what may be the largest collection of stolen Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. Hold Security, a Wisconsin-based information security company that uncovered the stash and the hacking ring behind it, provided the details to the New York Times on Tuesday. More than 420,000 websites, including some unnamed but reportedly major ones, fell victim to the remarkably rudimentary hack over the several years the cybercrime ring has been operational, according to the Times.
The technique believed to be used is a well-established one for plucking low-hanging fruit of the Internet. Computers all over the world, unknowingly infected with malware, formed a "botnet" doing the group's bidding. Each time a computer visited a site, it attempted a "SQL injection," in which items like search and comment fields are filled with code meant to force the site's database to spit out its contents. Such vulnerabilities are well known and fairly easily fixed, but thousands of websites clearly have yet to do so. NBC News contacted Hold Security for details but has not yet received a response.
- Skilled, Cheap Russian Hackers Power American Cybercrime
- Russian Accused of Hacking Into U.S. Stores and Restaurants
- Toughen Up Your Critical Passwords in 4 Easy Steps
— Devin Coldewey, NBC News