Russian gangs take 1.2B passwords, 500M email addresses in biggest Web heist ever

Security researchers are calling it the biggest theft of user data ever.

A Russian criminal group successfully lifted 1.2 billion passwords and 500 million email addresses from 420,000 websites, Hold Security, an Internet security company said today.

Hold Security, based in Milwaukee, has declined to release the names of those whose information was stolen nor the websites where the data was pilfered. The company said it was cooperating with U.S. law enforcement and said that so far the Russian gang did not appear affiliated with the Russian government.

The timing is interesting, as relations between the West, led by the U.S., and Russia, led by strongman Vladimir Putin, have reached their lowest level since the end of the Cold War in 1989. Pro-Russian separatists backed by Moscow have been linked to the downing of a Malaysian Airlines flight in July that killed 300 people that was blamed on pro-Russian separatists fighting in Ukraine.

According to the scorching Hold Security after action report, this is how it went down:

“Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.”

The astonishing feat makes the Target data breach in December, where 40 million credit cards and 70 million email addresses were stolen from the retailers servers, pale by comparison. In that attack, Eastern Europe hackers were fingered as the main culprits, but no arrests have ever been made.

Hold Security operatives have been busy. They were the ones who officially confirmed the breach before the feds did, and also were responsible for uncovering a little known hack at Adobe Systems in San Jose where millions of digital files were stolen.

Investigators at Hold Security said they publicly unveiled the Russian hack, which they call the biggest to date, after a grueling seven month investigation. In fact, the security company aptly named the group CyberVor, which means “thief” in Russian.

Small and big enterprise websites were hit in the massive fraud, but again, although identified by Hold Security operatives internally, the names have not been released. Yet.

The data thieves invariably were aided by people using the same password for multiple websites. Hold Security is asking that anybody who believes they were targeted to reach out. While the feds — where was the NSA? — are not the ones who broke the story, U.S. intelligence agencies are no doubt involved now.

What to do?

A page on the Hold research site say: “Don’t panic. Try to strategize.”