Russian Hackers 'Pull Off Biggest Data Theft'
Russian hackers have stolen 1.2 billion user name and password combinations in what could be the biggest ever data theft, according to a US security firm.
The information is said to relate to half a billion email addresses.
Hold Security, based in Milwaukee, says a 'Cybervor' gang stole the information from 420,000 web and FTP sites.
It claims the gang used a botnet, a network of infected computers controlled by a hacker, to identify weaknesses in websites that people visited.
Users typically do not know their machine is being manipulated by a botnet.
"The botnet conducted possibly the largest security audit ever," says Hold Security on its website, which says it spent seven months researching the alleged breach.
"Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.
"The CyberVors used these vulnerabilities to steal data from these sites' databases.
"To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of emails and passwords."
Hold Security says the Russian gang targeted every site visited by an infected botnet machine and did not differentiate between well-known sites and smaller ones.
The company has not named the sites that were affected but says the list "includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites".
The New York Times reports that so far it appears little of the information has been sold to other online criminals.
Instead, it says it is being used to send marketing pitches and junk messages on social networks such as Twitter.
Hold Security has a history of uncovering major hacking attacks and previously uncovered a large data theft from software company Adobe.