Russian Crime Ring Boasts More Than A Billion Stolen Passwords, Change Yours Now

With the immense hassle Heartbleed caused the computing world, it would have been nice to have been able to go a while without feeling the urge to mass-change our passwords, but thanks to the efforts of a Russian group, that "while" has turned out to be just a couple of months.

According to Hold Security, the same firm that previously exposed Adobe and Target vulnerabilities, a Russian group has collected a staggering 1.2 billion sets of usernames and passwords tied to 500 million email accounts. Hold Security is not naming any of the 420,000 affected websites and services that these credentials involve, but has mentioned that they range anywhere from a mom and pop site to a household name. Soon, the firm will be launching a service that website owners can subscribe to which will let them know if they've been exposed to this and other vulnerabilities.

Hold Security said that the Russian group responsible for this breach originally purchased a database from the black market, and was then used to access user email and social media accounts to distribute malicious software. It's also being noted that botnets have helped the group identify vulnerable websites, which helped to reach that staggering 420,000 number.

On account of the fact that we're not being told which websites and services have been affected, it's hard to truly suggest that anyone should change their passwords - but we'd still highly recommend changing them on websites that hold sensitive information.

It must be said that Hold Security's actions here in not cluing us in better does raise a couple of questions, though - it's drumming this breach up as being the worst we've ever encountered, at the same time it's soon to launch a brand-new breach-detection service. That in itself is no big deal, but according to Forbes, the price listed on the page is not even accurate. It says $120/mo, but company founder Alex Holden has since said that the final price will be $10/mo, and $120/yr. The Breach Notification Service page has since been unchanged to reflect that, however.

Nonetheless, all we can recommend at this point is adhere to good password practices, and if you're at all concerned with having been affected, it sure won't hurt anything to go and change all of your passwords.

CDeeter 4 months ago

Time to start holding countries that harbor these thugs accountable for the actions of their citizens by imposing economic sanctions until the hackers are put behind bars.

Joseph Pianta 4 months ago

One password, I have hundreds, all now 20 plus characters or more. And a company that knows whom was effected is going to hold that data hostage for be sold to the effected site so they can maybe inform their users that they didn't take enough care to protect their data against hackers. 'We want your money but don't care enough to protect your personal data.' We also need to start holding these companies that don't care about their clients data accountable. I haven't seen to many of these places that have been breached do much more then send out a notice that you might want to update your password, if they did even that. They should be covering the cost of protecting my data via a monitoring service or offering a discount to them.

BrianSmith 4 months ago

If they stole the passwords already, they can simply steal them again, so 'change your password' is stupid avice - better advice would be to fix the affected millions of websites so passwords can't be stolen this way.

MADSKILLZ412 4 months ago

Stuff like this has happened before there is really no need to be paranoid and go change all of your passwords. :/

altshep123 4 months ago

That sounds like ignorant advice at best. Yeah, breaches happen fairly often, but not on this magnitude. Even with smaller instances it's still not a reason to be careless with your accounts. You should be changing your passwords fairly frequently anyway. This isn't paranoia, its smart practice online.

Thankfully, they are your accounts and you can do whatever the heck you want with them so it's no skin off my back. Personally I don't like the thought of one of my important credentials sitting out for sale/use like some negative lottery.

Post a Comment
or Register to comment