A group of Russian hackers has stolen the largest amount of Internet credentials in history, Milwaukee-based Hold Security announced this week. The stolen information includes 1.2 billion user name and password combinations, as well as 500 million email addresses.

The information security firm has declined to name the victims of the thefts, in light of its nondisclosure agreements and the fact that several of the targeted companies still remain vulnerable. However, The New York Times confirmed Hold Security’s findings by hiring an expert unaffiliated with the Wisconsin company. The expert subsequently determined that the database of stolen identities was genuine.

The Details of the Information Theft

The gang of cyber criminals built up their pool of stolen credentials over a span of several years. They started work on their illicit enterprise in 2011, when they began buying personal information on the black market. However, in April 2014, they advanced their capabilities. Alex Holden, the founder and chief information security officer at Hold Security, said that he believes that the group teamed up with another criminal entity, which he has not yet identified, in order to learn more about various hacking techniques.

Since then, the group has begun using botnets — networks of computers that have been infected by a virus — for stealing information on a gargantuan scale. By July, they were able to steal 4.5 billion records, each with a user name and password. Although many of these records overlapped, Holden estimated that around 1.2 billion of them were unique.

According to the security firm, the hackers captured information from over 420,000 websites. The victims were from countries around the world, and ranged in size from small businesses to large corporations.

Another Instance in a Growing Trend of Cyber Crime

This is not the first large-scale information theft to occur in recent history, with several information security breaches coming just last year. In December, Eastern European hackers stole 40 million credit card numbers and 70 million other pieces of personal information, including addresses and phone numbers.

Similarly, US authorities uncovered in October a Vietnam-based identity theft scheme that had managed to steal around 200 million personal records. That stockpile of stolen data included credit card information, bank account records, and Social Security numbers.

How to Protect Your Information

While it remains unclear what companies were struck by the latest theft, there can be no doubt that both corporations and consumers should be on their guard. First and foremost, those concerned about the safety of their records should change their passwords, making sure not to duplicate passwords for multiple sites.

Another crucial measure involves signing up for a password manager. These applications create unique passwords for each site that a person visits, and then stores them in a database secured by a master password. This decreases the likelihood of a person using the same password twice or choosing one that is too easy to hack.

Managing passwords is only one part of the solution. While it is a good first step, it is often not enough on its own. Other security features, such as secondary or two-factor authentication, should also be used when possible. Websites that use this method will send users a message with a one-time code that they must enter before accessing the system.

Contact us to discuss the best security options for your organization.