Want CNET to notify you of price drops and the latest stories?

Hackers nab 1.2B passwords in colossal breach, says security firm

Russian gang hacks into more than 420,000 web and FTP sites, amassing username and password combinations and millions of email addresses, company says.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read


Thought the theft of 110 million people's data during the hack into retailer Target was bad? Hold Security says it's discovered a breach more than 10 times bigger.

Over the past seven months, the security firm has been working to uncover what it says is arguably the largest known data breach in history. Hold Security has identified a Russian cybergang that it believes stole 1.2 billion username and password combinations and more than 500 million email addresses.

"Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach," Hold Security warned in a blog post published Tuesday. "Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."

The hackers didn't discriminate as to what kinds of websites they hit in this breach -- they went after the most well known companies as well as mom-and-pop websites, said Hold Security. In total, more than 420,000 web and FTP sites were robbed. The firm hasn't yet released the names of these companies because those sites may still be vulnerable.

"They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security wrote. "With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."

Hold Security is known for revealing massive data breaches. It identified the October 2013 hack into Adobe Systems that resulted in exposed customer IDs; passwords; and credit and debit card information of 38 million people. It also identified and tracked the Target breach.

But those hacks are small time compared with today's news. The Russian cybergang behind the breach doesn't have a name, said Hold Security, so the firm dubbed it "CyberVor." Vor means "thief" in Russian. Initially, CyberVor amassed more than 4.5 billion records -- but many of those were duplicates, which is why Hold Security lowered its number to 1.2 billion stolen credentials.

With the world's population at 7 billion, a breach of 1.2 billion means almost all adults with email were affected by this hack. However, Hold Security is telling people not to panic and instead to strategize. It's recommending that users sign up for identity monitoring or identity protection services -- specifically touting its own service that is said to cost roughly $120 per month. The firm is also reaching out to the breached websites so they can close up any security holes.