Criminals Steal 1.2 Billion Usernames and Passwords


The New York Times and other media outlets are reporting that a Russian criminal gang has acquired over 1.2 billion unique usernames and passwords. The user credentials were gathered through security holes in over 420,000 websites. The list of websites has not been released but the New York Times has verified it contains a wide range of companies, “from Fortune 500 companies to very small websites.

Internet users are urged to once again change all of their passwords, from banking to social media.


This particular group is comprised of less than a dozen Russian men in their 20’s.

They began purchasing stolen credentials back in 2011 but recent accelerated their activity beginning this past April.

They are capturing credentials mainly using botnets. Anytime a user infected with the virus visits a website, a test is run to see if that particular website is vulnerable to hacking techniques (mainly SQL injection). If the website is vulnerable, the hackers make a note and return at a later time to extract the full content of the website.

It is estimated that this particular group had collected 1.2 billion unique usernames and their associated password by July of this year.

Additionally, because people tend to use the same passwords for different sites, the Russian hackers have used the stolen credentials to gain access to sites such as banks or brokerage firms.


At this point, the security firm does not believe that the stolen credentials are being sold on the internet, but mainly being used to spam on behalf of other organizations and collecting a fee for doing so. Since it is more profitable to sell credentials online, we cannot rule the possibility that it will be done in the future.

The security firm, Hold Security, has begun to alert those companies and organizations that were victimized, but they indicated they were not able to reach all of them. The NYT article also referenced a site where individuals would be able to test to see if their credentials have been compromised. However, this site has yet to be deployed.


It is not clear how the botnet computers were first infected with the virus, but this is a good example of why it’s important to be vigilant when browsing the internet.

If a download seems too good to be true, it probably is! Downloading files like software or other media can install malware or viruses on your computer without you even knowing it. Make sure you are downloading and install software from trust sources only, such as well-known publishers or authorized resellers. You can also use antivirus software to scan files before installing the files. Northeastern provides all faculty, staff and students with a free copy of Symantec Endpoint Protection, which can be downloaded through myNEU > Software Downloads.

It would also be wise to change all your passwords. Make sure to use different passwords for different sites. Worried about forgetting all those passwords?

Apps, like Dashlane, LastPass, and KeePass are free and let you store your passwords in a secure location so you don’t forget them.

Remember to create secure passwords. Strong passwords are at least 10 characters in length and should be contain uppercase, lowercase, numbers and symbols. Strong passwords should not contain any dictionary words, your name or your username. Make sure all your passwords are different than the last. A good example of a strong password would be IL0v350cc3r!75.

Note: A controversy with Hold Security has emerged as the company is offering services to potential victims of the breach for $120 a year. Hold Security has been faulted with having a huge financial incentive in creating a public panic with their choice of words in their public communications.

The Washington Post: Russian hackers steal more than 1 billion passwords. Security firm seizes opportunity.

Forbes: Firm That Exposed Breach of Billion Passwords Quickly Offered $120 Service To Find Out If You’re Affected

Image credit: Flickr: Christophe Verdier

This entry was posted in Malware, Anti-Virus, Phishing, Scams, Safe Computing. Bookmark the permalink. Both comments and trackbacks are currently closed.