Russian hackers ‘steal 1.2bn passwords in largest ever breach’

US security firm says gang accessed information on about 500 million email addresses

A gang of hackers in Russia has amassed 1.2 billion sets of looted user names and passwords, believed to be the largest known cache of stolen personal information.

The pilfered records, associated with about 500 million unique email addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information-security and risk-management services.

The findings were based on seven months of research, though the company didn’t give a time period for the theft or name any websites that were hacked.

"We have been collecting information to help our customers stay more secure," Alex Holden, the founder and chief information security officer of the company, said.


“We found that it was such a great impact to society that we decided to make a public statement.”

The New York Times first reported the attack, saying the records were gathered from 420,000 websites including Fortune 500 companies.

Mr Holden said in the interview that the hackers operated from central Russia near the border with Kazakhstan.

He declined to provide exact details about their location or identities in order to not jeopardise potential law enforcement operations. Data was extracted from the websites using a network of compromised computers known as a botnet, according to a statement from Hold Security.

But not all stolen records were valid or current, the company said.

“With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” it said.

While the claim still has to be verified, the details and scope of the attack aren’t surprising, said JD Sherry, vice president for technology and solutions at security firm Trend Micro in the US.

“The Eastern European shadow economy is stocked with treasure troves of data as well as national security assets in the form of elite hackers,” Sherry said.

“It is plausible that a single syndicate has cornered the market and compromised over a billion credentials over an extended period of time.”

Cybercrime costs as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a report published in June by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee.