Russian hacker mob amasses 1.2 billion password haul

What's described as the biggest known collection of stolen usernames, passwords, and email addresses has been amassed by a Russian crime collective, security researchers have warned today, with 420,000 sites apparently compromised. The vast stockpile was identified by research firm Hold Security – which last year broke the news on the Adobe Systems hack – which says it includes data snatched from Fortune 500 company sites among others.

So far, the exact identities of the sites that unwittingly contributed to the credential database have not been revealed. Hold Security is both bound by non-disclosure agreements and a reluctance to expose unpatched vulnerabilities, the NY Times reports.

However, third-party validation of the data acquired by the firm suggests that it is, indeed, legitimate.

The haul consists of 1.2 billion username and password combinations, along with over half a billion email addresses, though the number of actual records extracted is said to be more like 4.5bn. Hold Security used contacts within the group responsible to uncover the extent of the exploits.

According to the research, less than a dozen men are involved, using Russia-based servers. Some are responsible for the programming, while others actively steal the data itself; it's also possible that the group partnered with an as-yet unknown other group as it built upon its previous efforts.

At the heart of the exploit is a huge botnet of slaved computers which use SQL injections on potential victim sites. Vulnerable pages are highlighted for more intensive examination, in what Hold Security's Alex Holden says amounts to an "audit" of the internet.

Meanwhile, "most of [the sites exposed] are still vulnerable," Holden concludes, while the botnet itself is still actively harvesting.

Currently there's no way of knowing whether your own credentials have been exposed, or indeed what nefarious use might be made of them.