A Russian gang is said to have stolen more than one billion internet credentials, possibly making it the biggest heist of its kind, according to a new report from The New York Times.
Milwaukee-based security firm Hold Security discovered records of this criminal activity, the Times reports.
The records included confidential material from 420,000 websites, such as 1.2 billion username and password combinations and more than 500 million email addresses.
These attacks are said to have ranged from small websites to large companies, and websites inside Russia have also been attacked. The criminals behind the attacks have not sold any of the information online, but appear to be using the credentials to spread spam. The hackers aren’t believed to be connected to the Russian government.
This hacking ring is based in south central Russia, according to The Times, and consists of fewer than a dozen men in their 20s. The hackers began as amateur spammers in 2011, but could have partnered with a larger entity since.
Russian hackers have been using botnets to extract this type of information on a massive scale, the Times reports. Botnets are extremely dangerous because they allow hackers to infect thousands and thousands of computers with software that can allow for remote access.
These remote capabilities can allow the hacker to try and penetrate other systems without the user’s knowledge, Todd Morris, CEO of New York-based security and surveillance firm Brickhouse, said to Business Insider.
So, for instance, a botnet could enable your computer to enter passwords and try to hack into other websites, and you wouldn’t even notice. This makes it much harder to track the source of the attack as well, since the hackers could be using a wide range of different computers from around the world.
The best way to protect your data from attackers is by making sure you don’t use the same password for multiple accounts, Morris said.
“So many people use the same password over and over again for different websites,” he said. “If people were using more unique passwords, it would be a more limited threat.”
Enabling two-factor authentication is also a must, Nicholas Percoco, vice president of strategic services at security firm Rapid7, told Business Insider. Even if a hacker obtains your username and password, he or she can’t gain access to your account if two-factor authentication is enabled.
Two-factor verification is a feature that sends a code to your smartphone that’s required to login after entering your username and password. Many email providers offer this feature, including Gmail and Outlook among others.
Although 1.2 billion login credentials sounds like a massive chunk of data, Percoco says that it’s probably a small amount of information compared to what’s out there.
“While that seems pretty significant, I would say it’s not necessarily like the entire Internet has been compromised,” he said. “[It’s] insignificant compared to the size of the entire Internet.”
We’ve reached out to Hold Security to hear more about its findings, and will update this story accordingly.
Business Insider Emails & Alerts
Site highlights each day to your inbox.