A cyber security firm has reported a “mind boggling” cache of stolen credentials which has been put up for sale on online black markets. A total of 360 million accounts were affected in a series of hacks, one of which seems to be the biggest in history.
Alex Holden, chief information security officer of Hold Security
LLC, said that the firm had uncovered the data over the past
three weeks.
He said that 360 million personal account records were obtained
in separate attacks, but one single attack seems to have obtained
some 105 million records which could make it the biggest single
data breach to date, Reuters reports. “The sheer volume is
overwhelming,” said Holden in a statement on Tuesday.
“These mind boggling figures are not meant to scare you and
they are a product of multiple breaches which we are
independently investigating. This is a call to action,” he
added.
Hold Security said that as well as 360 million credentials,
hackers were also selling 1.25 billion email addresses, which may
be of interest to spammers.
The huge treasure trove of personal details includes user names,
which are most often email addresses, and passwords, which in
most cases are unencrypted.
Hold Security uncovered a similar breach in October last year,
but the tens of millions of records had encrypted passwords,
which made them much more difficult for hackers to use.
“In October 2013, Hold Security identified the biggest ever
public disclosure of 153 million stolen credentials from Adobe
Systems Inc. One month later we identified another large breach
of 42 million credentials from Cupid Media,” Hold Security
said in statement.
Holden said he believes that in many cases the latest theft has
yet to be publically reported and that the companies that have
been attacked are unaware of it. He added that he will notify the
companies concerned as soon as his staff has identified them.
“We have staff working around the clock to identify the
victims,” he said.
However, he did say that the email addresses in question are from
major providers such as AOL Inc, Google Inc, Yahoo Inc, and
Microsoft Corp, as well as “almost all” Fortune 500 companies and
nonprofit organizations.
Heather Bearfield, who runs cybersecurity for an accounting firm
Marcum LLP, told Reuters that while she had no information about
Hold Security’s findings, she believed that it was quite
plausible as hackers can do more with stolen credentials than
they can with stolen credit cards, as people often use the same
login and password for many different accounts.
“They can get access to your actual bank account. That is
huge. That is not necessarily recoverable funds,” she said.
The latest revelation by Hold Security comes just months after
the US retailer Target announced that 110 million of their
customers had their data stolen by hackers. Target and the credit
and debit card companies concerned said that consumers do not
bear much risk as funds are rapidly refunded in fraud losses.