A Russian Crime Ring Probably Has Your Internet Passwords

A Russian Crime Ring Probably Has Your Internet Passwords

The news: Stop what you're doing and change your passwords.

According to a breaking report from the New York Times, a Russian crime ring has compiled more than 1.2 billion username and password combinations, making it one of the "largest known collection of stolen Internet credentials." 

Milwaukee-based security firm Hold Security says that the collection includes "confidential material" gathered from more than 420,000 websites, including 500 million emails.

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," Hold Security founder and Chief Information Security Officer Alex Holden told the Times. "And most of these sites are still vulnerable."

The background: This is a massive amount of personal information and the latest in a long line of high-profile Internet security breaches.

The Times reported in December that hackers in Eastern Europe had obtained more than 40 million credit card numbers and 70 million pieces of personal information were stolen from Target. 

In April, a security bug known as "Heartbleed" exposed tens of millions of servers worldwide to attack, including those utilized by Facebook, Tumblr, Google, Yahoo, Dropbox and Gmail.

And in May, Web giant eBay fell victim to a massive cyber attack that compromised the personal information of more than 28 million users, including passwords and "unprotected" real-world data like names, email addresses, physical addresses, and phone numbers.

The lesson: The Times runs through the potential consequences of this theft:

So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

But selling more of the records on the black market would be lucrative.

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

The real lesson? Nothing on the Internet is safe. 

“The ability to attack is certainly outpacing the ability to defend,” RAND Corporation researcher Lillian Ablon told the Times. “We’re constantly playing this cat and mouse game, but ultimately companies just patch and pray.”