In what's believed to be the largest stockpile of stolen Internet credentials in history, a Russian hacking ring has gathered more than 1.2 billion unique Internet credentials, according to Web security experts. The relatively small group has reportedly collected passwords along with user names and email addresses.
"This year is already on track to be the year of the mega-mega breach," Orla Cox, director of security response for the anti-virus software company, Symantec.
The news was first reported by The New York Times, which says the group attacked all kinds of websites to steal data: large and small, and in countries from Russia to the U.S. and elsewhere.
Milwaukee-based Hold Security confirms to NPR it discovered the breach. The confidential material was gathered from more than 420,000 websites, ranging from small operations to those of major corporations.
Hold Security hasn't revealed which businesses are vulnerable, in part because of nondisclosure agreements and in part because many of their websites remain vulnerable. Security experts say it's unclear what the hackers will do with the data, so it's smart to go ahead and change your passwords.
"I think all Internet users should assume they've been impacted by this," says Cox. "Clearly these aren't opportunists, they aren't hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years."
As for more details about the hacking gang, the Times says it has grown more ambitious since starting out as a spam operation in 2011.
From the Times:
"The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia."
DAVID GREENE, HOST:
We're learning more this morning about a high-profile data breach - a big one. Russian hackers have allegedly gotten their hands on more than a billion online usernames and passwords. This was first reported by the New York Times. It's believed to be the largest stockpile of stolen credentials ever. Here's NPR's Elise Hu.
ELISE HU, BYLINE: Online security firms had already predicted this would be the year of the big breach. Orla Cox directs a anti-virus firm Symantec's security response teams.
ORLA COX: This year is already on track to be the year of the mega, mega data breach.
HU: How mega is this? The total number of worldwide Internet users is 3 billion and this hack captured more than 1 billion credentials. But as few as a dozen millennial generation hackers were behind it, according to Hold Security, the firm that discovered the breach. That's because most of the data stealing was done by computers with what's known as a zombie army or botnet.
COX: They did not require, you know, highly sophisticated techniques.
HU: Hackers infected the computers with malware - bots that snuck onto sites and link up as a network to amass his record-setting collection. Cox said all hackers had to do was wait.
COX: These are full-time cyber criminals who are, you know, have likely been carrying this out for a number of months maybe even years.
HU: Law enforcement organizations aren't saying whether they're investigating this breach but the Times reports that the companies affected know they're vulnerable. So security firms say change your passwords.
COX: All Internet users should assume that they've been impacted by this.
HU: This billion user breach underscores an ongoing problem as companies race to safeguard our data, hackers can often get to it first. Elise Hu, NPR News, Washington. Transcript provided by NPR, Copyright NPR.