Security researchers revealed that Russian hackers were able to collect at least 1.2 billion username and password combinations, on top of at least 500 million email addresses.
The activities were discovered by Milwaukee-based security firm, Hold Security. Researchers detailed in a blog post how the Russian hackers, dubbed as the "CyberVor gang," were able to access confidential information from over 420,000 websites.
The Russian hackers initially obtained the credentials of the victims from the black market. They then sent spam to the victims to install malicious redirections on legitimate systems. It didn't focus on a single company, but targeted each website visited, affecting hundreds of thousands of websites.
The firm refused to reveal the names of the businesses affected, due to confidentiality agreements, as well as the further disclosure of vulnerable websites.
The New York Times requested a third party consultant to verify the authenticity of Hold Security's research. The expert confirmed that the information is accurate. Another expert also stated that big companies included in the list are aware that their websites were vulnerable.
"Hackers did not just target U.S. companies; they targeted any website they could get, ranging from Fortune 500 companies to very small websites," founder and chief information security officer of Hold Security, Alex Holden, told New York Times. "And most of these sites are still vulnerable."
Holden is scheduled to speak more about the security issues being faced by security websites in an industry conference this week. During his talk, Holden expects to get the attention of the small websites that he was not able to contact about their security issues.
Hold Security is the same firm that was identified during the data breach with Adobe Systems in October 2013, and also helped in tracking the Target breach that happened in February this year. Target's website became victim of the Eastern European hackers, who were able to get at least 40 million credit card numbers, and at least 70 million email addresses, home addresses, and phone numbers.