Russian Cybergang hacks 1.2B passwords, 500M email addresses in biggest Web heist ever

After more than seven months of research, Hold Security, an Internet security company has identified a Russian criminal group lifted internet credentials, including 1.2 billion passwords and 500 million email addresses from 420,000 websites and FTP sites.

“Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach,” Hold Security wrote in a blog post published Tuesday. “Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.”

Hold Security

The firm has not released the names of the companies and websites whose information was stolen, because those sites may still be vulnerable.

“They didn’t just target large companies; instead, they targeted every site that their victims visited,”  the company said. “With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”

Milwaukee-based, Hold Security is known for identifying and tracking massive data breaches. In October 2013, It identified a data breach with Adobe Systems, that resulted in exposed customer IDs; passwords; and credit and debit card information of 38 million people. Later in December that year, the company identified over 360 million stolen credentials trafficked on the black market.

But those hacks were small as compared with today’s news. The Russian Cyber gang  did not have a name, said Hold Security. So the comapny dubbed it “CyberVor” (“vor” meaning “thief” in Russian). Initially, CyberVor amassed more than 4.5 billion records, but company has found that 1.2 billion of those records were unique.

With this 1.2 billion hacking, almost all adults with email were affected. The company however is telling people not to panic. It is also reaching to the breached websites to close up any security holes. The firm recommending that users sign up for identity monitoring or identity protection services — specifically touting its own service having cost of USD120 per month.

“Our Pen Testing and Audit Services are also available to investigate further and may find vulnerabilities that are yet to be discovered. Also, to keep your users protected from this and many other breaches, join our Credentials Integrity Service and we will be able to notify you if any of them have had their credentials stolen.

please be patient and we will try to help you! We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification.” The company warned in a Blog post.

NewYorkTimes says: “Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

FoxNews says: Richard Martinez, a Minneapolis-based cybersecurity and privacy attorney with Robins, Kaplan, Miller & Ciresi, described the heist as “another alarm going off” for consumers still reeling from high-profile data breaches at the likes of Target and StubHub. Consumers, he added, need to think seriously about password security.

“Refreshing the passwords is critical, not relying on the same passwords across sites is critical,” he said. “At a minimum, the sites that you rank as critical such as your bank, your bills, need unique and distinct passwords.”

To contact the author, write to

Have content to share? Share with us for review