Security experts from Hold Security say they’ve identified a total of 360 million credentials and 1.25 billion email addresses stolen and misused by cybercriminals from various companies. The massive volume of data was uncovered in the first three weeks of February and it was stolen recently.
The companies from which the information has been stolen have not been named. The security firm is still working on identifying some of the victims and alerting them since they might not be aware of the breach.
Alex Holden, Hold Security’s CISO, has told Reuters that 105 million of the credential sets are from a single attack. This information can be highly valuable for cybercriminals not only to hijack accounts, but also for targeted spam campaigns.
Hold Security has gathered the data as part of its Deep Web Monitoring services. Now, the company has launched Credentials Integrity Services to help companies assert their data integrity.
The firm has analyzed numerous data breaches that have resulted in tens or hundreds of millions of accounts becoming compromised. For instance, they’ve investigated the over 150 million credentials stolen from the systems of Adobe and the 42 million credentials taken from Cupid Media.
While in many cases, cybercriminals obtain login credentials directly from the targeted organization’s systems, they also use botnets to harvest large amounts of data. For example, researchers from Trustwave’s SpiderLabs have analyzed credential records stolen by the Pony botnet.
Over a 4-month period, the botnet has helped attackers steal over 700,000 account credentials for various services, including websites, email accounts, FTP servers, SSH and Remote Desktop services.
Whenever there’s a major data breach, the impacted company usually takes the necessary steps to ensure that their customers’ accounts are not illegally accessed. This involves resetting passwords and locking down accounts.
However, the main problem is that many people use the same credentials for multiple online accounts. This means that if the attackers obtain their credentials for a file sharing site, chances are that the same username and password can be used to access Yahoo, Gmail, Facebook, Hotmail or other accounts.
Even if the breached company resets all passwords and alerts impacted customers, it will take some time until most internauts change all their passwords, and some of them probably never do.
While many users consider that there’s no sensitive information in their email accounts, access to such an account is usually just the first step in an attack that could have serious consequences.