Security researchers have confirmed that a Russian crime ring managed to steal 1.2 username and password combinations and more than 500 million email addresses. Some claim it's the largest known theft of confidential Internet information.
Alex Holden, founder and chief information security officer for Hold Security in Milwaukee, Wisconsin claims the cyber gang backed into databases from at least 420,000 websites.
He said, "It is absolutely the largest breach we've ever encountered."
Holden admitted to having his own information among the compromised data.
The company has been monitoring the cyber gang for almost seven months, but has just realized the depth of the gang's activities.
Holden added, "We thought at first they were run-of-the-mill spammers. But they got very good at stealing these databases."
Holden didn't identify the gang, but insisted his investigators know their names and locations. He said, "The perpetrators are in Russia so not much can be done. These people are outside the law."
The company has tried to contact the victims, but most of the websites remain vulnerable.
Just last year, Hold Security managed to uncover the theft of tens of millions of records from Adobe Systems.
While the breach is large, some aren't convinced that it's the biggest ever to be discovered. Marc Maiffret, the chief technical officer at BeyondTrust, a Phoenix-based computer security company said, "There's always lots of changes when the dust settles, it takes months to know" how important a breach was.
The hackers pulled off the stunt by taking advantage of the two most common types of hacking: attacking web sites to gain access to underlying databases of customer information, and going after individuals and "everyday email," says Maiffret. "It's really a perfect storm," he added.
To date, the criminals have not sold many of the records online. It instead appears that they have used the stolen information to send spam on social networks like Twitter at the request of other groups, collecting payment for their work.
The hacking ring is based in a small city in south central Russia. The group includes fewer than a dozen men in their 20s who appear to know each other personally. Their computers servers are also believed to be in Russia.
Holden explained, "There is a division of labor within the gang. Some are writing the programming, some are stealing the data. It's like you would imagine a small company, everyone is trying to make a living."
The hack is especially concerning to the victims as personal credentials like email addresses, Social Security numbers or passwords can be used for identity theft.