[IMPORTANT UPDATE] There are considerable doubts about the news below. It is possible that the New York Times was working together with Hold Security to mislead the public. Check the latest article here to learn more.
An information security and investigation company, Hold Security, has reported on the largest account heist in the history of the Internet. The overall amount of stolen accounts comprises to as many as 1.2 billion passwords and usernames and over 500 million emails. The data have been gathered from 420,00 websites all over the world.
The Hold Security report suggests that the attack has no direct aim as «[the hackers] targeted any website they could get, ranging from Fortune 500 companies to very small websites”. Most of the sites still remain vulnerable to further attacks.
The group of hackers consists of about ten people who know each other personally and presumably work from one place somewhere in between Kazakhstan and Mongolia. “There is a division of labor within the gang, some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.” - said the founder of Hold Security, Alex Holden. And their scheme is more sophisticated than a heartbleed manipulation. They use botnet-infected computers to learn weather a site a user visits is vulnerable to the so-called SQL injection - a series of commands that make a site return the requested data. Still nothing known about how they managed to infect so many devices with a botnet.
Currently the group only makes use of the stolen email addresses to send spam, but the account credentials have not been found on sale. Hold Security has started notifying the companies about security breaches, but their team can not reach out to every victim at the moment.
Have you noticed any strange activity on one of your accounts? Probably, it's time to change your password.