A Russian hacker group appears to have stolen 1.2 billion credentials from over half a billion email addresses, according to findings from Hold Security. The company revealed the results of a seven month long investigation of a gang it calls “CyberVor” on its website on Tuesday.
The CyberVor gang stole credentials from over 420,000 web and FTP sites through a variety of means. Initially the group purchased credentials on the black market and used them to send spam and install malicious redirects. Then, going back to the black market, the group acquired the data from an enormous botnet which had identified SQL vulnerabilities on sites visited by victims. SQL injection vulnerabilities were found on over 400,000 sites.
The database of stolen credentials was confirmed to be authentic by an independent New York Times analysis. Hold Security says it may be the largest data breach ever.
The attack targeted large and small websites indiscriminately, but Hold Security has not publicly identified any affected sites for legal and ongoing security reasons. The company is expected to present its findings to the Black Hat security conference this week, according to Gigaom.
The Times says attackers have been identified by Hold as fewer than a dozen men in their 20s in South Central Russia. Their servers are in Russia, but the Russian government does not appear to be involved.
Hold Security warned of the dangers of black market credentials and quantity of them available in February, and Microsoft made a public relations mess when it attempted to block a botnet by seizing domains from dynamic DNS service provider No-IP in July.