The cyber black market is busting at the seams with stolen credentials, according to a new report.
Speaking to Reuters in an interview on Wednesday, Alex Holden, chief information security officer at Hold Security, said that over a period of just three weeks his company was able to identify 360 million different account credentials that were available for sale on Web-based black market services. The credentials include user names -- which are often e-mail addresses -- and passwords that in "most cases" are in unencrypted text, according to the report.
Holden told Reuters that his company is working to discover where the credentials came from and what they can access. While the targets of the breach are unknown, Reuters notes that the "discovery could represent more of a risk to consumers and companies than stolen credit card data" because of the wide range of computer systems the credentials could access -- anything from online bank accounts to corporate networks.
E-mail addresses in the credentials are from all major services, including Gmail and Yahoo, and almost all Fortune 500 companies and nonprofit organizations, Holden told Reuters.
That so many credentials are floating around the black market is perhaps no surprise to those who have been keeping an eye on the security space. Late last year, Target was hit with a massive data breach that saw the theft of 110 million people's personal information. It was just one in a long line of breaches that have occurred over the last several years, and only proved to put the issue back on the average person's map.
Perhaps most concerning, however, is that Holden believes that the 360 million credentials are predominantly new to the black market sites, and he believes that the breaches that delivered the credentials into hacker hands have yet to be reported. Holden also believes multiple breaches have combined to hit the 360-million mark. In addition to the credentials, Hold Security said more than 1 billion e-mail addresses are also up for sale on the sites.
As of this writing, Holden has yet to inform affected companies or authorities. He claims that his team is working to identify all the affected companies and will inform them of the breach when the data is collected.
Update 9:10 a.m. PT: Added more details on the reportedly stolen credentials.