In what’s being described as the “largest data breach ever”, a Russian cybercrime group has amassed more than 1.2 billion user credentials, including some 500 million email addresses and logins, from over 420,000 websites across the world.

The enormous stockpile of stolen data was unearthed by researchers from Hold Security, LLC., the company that first discovered last year’s Adobe Systems Inc., hack. Data from dozens of Fortune 500 company websites was found in the haul, researcher Alex Hold told the New York Times.

The hackers, believed to originate from southern Russia, accumulated around 4.5 billion username and password combos. They did so by trawling the web using a vast botnet of hijacked computers to identify sites vulnerable to SQL injection attacks, which is one of the most common and basic flaws that websites fall victim to. Many of the stolen credentials were duplicates, which is how researchers arrived at their 1.2 billion total.

Hold Security hasn’t yet revealed the names of affected websites, as it’s bound by non-disclosure agreements and is also reluctant to expose unpatched vulnerabilities, reports the New York Times. However, third-party validation of the data suggests that their findings are real.

One problem is that most of the affected websites are still vulnerable, and so to name them now would likely encourage more attacks. “They audited the Internet,” said Hold, who has since notified the operators of affected sites.

The good news is that the stolen credentials don’t appear to have been sold to anyone yet. But the hackers haven’t been twiddling their thumbs either – they’re using the data to distribute spam on social networks like Twitter and Facebook, activity that suggests a good proportion of the stolen passwords have been cracked or unencrypted.

Hold Security believes the gang is made up of around a dozen members who are thought to be in their twenties. It says the members all know each other and have their own tasks – some are responsible for maintaining the botnet, while others carry out actual attacks.

Unfortunately there’s no way to know if your own credentials have been exposed, nor what they might have been used for. The only advice we can offer at this point is to change your passwords (and usernames where possible), and make sure you continue to do so often.

photo credit: kryptyk via photopin cc