1.2 Billion User Names and Passwords Stolen in Massive Hack, Security Firm Says

A U.S. company said it discovered the hacking attack by a Russian gang during a seven-month investigation.

Russian hackers have collected 1.2 billion user name and password combinations and 500 million email addresses, according to a security firm.

The massive hack was discovered by Milwaukee-based Hold Security LLC after seven months of research, Bloomberg said. Hold Security said in a news release that the Russian cyber gang responsible for this is now in possession of the largest known cache of stolen data.

More than 420,000 Web and FTP sites were likely targets, the private security firm said. The hacking scheme targeted websites of all sizes, including personal websites.

According to The New York Times:

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

Hold Security said it will not name victims of the breach because of that vulnerability.

So what are the Russian hackers doing with the stolen information? According to Time:

As of now, the criminals have not sold many of the records online, and instead are giving the information to third parties to send spam on social networks like Twitter. They’re then collecting fees for their work. So far, it doesn’t appear to be a complete disaster for Internet users, but it leaves a lot of people very vulnerable.

The sheer size of this hack has brought standards of identity protection on the Web into question, the New York Times said.

“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”

Though you likely won’t find out if your user names and passwords were stolen in this breach, it’s still a good idea to take steps to protect yourself, Time said.

It’s probably a good idea to change your password now. And if you use the same passwords for multiple websites — don’t. Reusing passwords is not a good idea because it makes it that much easier for hackers to get into many of your accounts and access key information like your credit card data. Security experts recommend regularly changing your passwords anyway.

What do you think about the latest cybersecurity breach? What do you do to protect your Internet credentials? Share your thoughts below or on our Facebook page.

Stacy Johnson

It's not the usual blah, blah, blah

I know... every site you visit wants you to subscribe to their newsletter. But our news and advice is actually worth reading! For 25 years, I've been making people richer without making their eyes glaze over. Take 5 seconds and join our family by clicking here. You'll be glad you did. I guarantee it!

More Money Talks News


  • shondell mann

    This is utterly unspeakable. Just the thought of it leaves me in awe. Not only do we have to protect ourselves from one-another in our own country but to fathom the thought of other neighboring countries invading our privacy is appalling !

  • bigpinch

    I can’t say that I’m a model of security efficiency but, at the same time, I’m not overly concerned about this. 1.2 billion user names and passwords is a lot of data to sift through, so these people are going to be unproductively busy for a long time however many of them there are.
    I may be whistling past the graveyard but I’ve always assumed that, with the expertise of hackers being what it is, no passwords are secure. So what to do? Don’t be complacent. Monitor all of your critical accounts. Assume that someone will break into them. Catch the breach as soon as possible and limit the damage.

  • I think that every “critical” website should use extra added layers of protection. For example, my bank HSBC, not only requires a user name and password, but an extra 3 digits that rotate with each login from a 9-digit key that you specified earlier upon registration. They are now getting rid of the 9-digit key and replacing it with a security device that generates a random number which you input upon logging into your internet account. Without this random number, you are not getting in!

  • transmitterguy

    OK, Put you hands up If your password and Id haven’t been compromised……one ….two…..three. OK. three people total. Every news organization have been reporting this. My question is, How are 25 guys in a room going to process 1.2 billion of anything?, Where would they have gone to find that many passwords in one place? If everyone changes their password then their list is obsolete. I think this Is a crock, devised by the government, or the banking industry, to make people change their passwords. It just doesn’t make sense.We are being DUPED.

    • transmitterguy

      Oh Yeah, Hackers don’t want your Sears username and pass, they want your username and pass to your bank account and retirement account, They aren’t interested with pennies

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 2,070 more deals!