So, um, you should probably change your password. It seems a Russian crime ring has nabbed the largest cache of stolen Internet credentials ever — including 1.2 billion usernames and passwords and 500 million email addresses. “Yikes” is probably too mild a word.
The New York Times reports that a Midwestern firm, Hold Security, unearthed the theft, which includes, according to Hold Security’s website, information from 420,000 websites both big and small. The firm has yet to release the names of those sites, but has set up a service where users may be alerted if their information has been compromised.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Hold Security told The New York Times. “And most of these sites are still vulnerable.”
The thieves have yet to sell the info they have stolen, it seems, but they have been using the records to send spam on social networks for other entities, collecting cash for their trouble.
In case you were wondering about the veracity of Hold Security’s report, The Times had a security expert not affiliated with the firm confirm the authenticity of the database of stolen info.
At this juncture, Web denizens are basically in a holding pattern until it’s revealed which sites were compromised. In the meantime, however, security experts have been offering up advice.
David Emm, senior researcher with security firm Kaspersky, told the Guardian that folks should take this occurrence with a grain of salt. “We’ve had very little concrete information released,” he said. “Nothing has been released by an established security company –- I personally haven’t come across Hold Security before –- and we’ve had no information on the companies affected, or whether they’re still vulnerable … There’s just what seems to me to be a pretty vague claim of the largest security breach to date.
Others are taking a “better safe than sorry” approach, telling users to just go ahead and change their passwords (which doesn’t seem like it could hurt — “123kitten” is probably not ironclad).
“If you haven’t updated your password recently, now would be the time,” Adam Kujawa, head of malware intelligence at security company Malwarebytes Labs, told Mashable.
USA Today spoke with experts who suggested that users, among other things, make sure to have unique passwords for all accounts — and to never use the same password for social media and money-oriented services.
In the meantime… maybe look at the below for a while.