On Thursday, August 7, The New York Times reported that a sophisticated Russian crime ring was holding a massive cache of stolen Internet credentials. According to Hold Security, a Russian cybercriminal gang, CyberVor, has accumulated 4.5 billion stolen records, including 1.2 billion unique usernames and passwords belonging to more than 500 million email addresses.
CyberVor allegedly obtained the confidential material by raiding 420,000 websites.
Hold Security permitted a third party security expert to analyze their findings at the request of The New York Times. According to The New York Times, the expert confirmed the data was authentic.
Hold Security’s did not name the victims, citing confidentiality concerns. But, according to an article appearing in The Guardian, Hold Security has offered a commercial “breach notification” service requiring consumers and companies to pay an up-front fee to see if they had been affected. Hold Security has since said it would allow consumers to check for free whether their usernames or passwords had been stolen.
Given the alleged global magnitude of the breach—nearly 5 billion passwords— we are awaiting the notifications from at least a few companies that their users are at risk.