A Russian crime syndicate is said to have collected over one billion usernames and passwords and more than 500 million e-mail addresses in what is being called one of the largest online cyber intrusions in history.
More than 400,000 websites are affected by the data breach, according to security researchers quoted by the New York Times on Tuesday. Those websites include well-known “household names” and small web services alike, the Times said.
A cyber security expert with Wisconsin-based Hold Security said most of those 400,000 websites are still vulnerable to breaches.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Holden Security, told the paper.
Holden refused to identify the websites that were affected, citing non-disclosure agreements and concern that websites could fall victim to other attacks if their names were published while they remain vulnerable.
Security experts say the Russian hackers do not appear to be selling the information they’ve collected, but are instead capitalizing on the compromised credentials by sending spam messages to other users in exchange for payments from third parties.
The Times says the hacking ring is run by less than a dozen men in their 20s out of a remote village in south-central Russia. The group started as a small gang of cyber criminals who bought stolen usernames and passwords off the black market. Over time, the operation grew larger: The syndicate is said to have partnered with another group whose identity has not yet been uncovered.
Holden Security says they’ve begun notifying affected websites of the data breach. The company is also working on a tool that will allow individuals to see if their e-mail addresses are among those that were compromised.
Cyber security experts recommend using different, complex passwords for every website (a password made of a random string of letters, numbers and punctuation marks is hard to crack) as well as employing two-step authentication, a feature that requires a person to enter a code generated by a mobile device after entering one’s password.