MANILA, Philippines – A security research firm pointed to a Russian crime ring amassing what is believed to be the largest known collection of stolen Internet passwords. 

The stolen data reportedly includes 1.2 billion user name and password combinations, along with over 500 million email addresses.

According to The New York Times, the security firm – Hold Security – said the records contained information from 420,000 websites, but did not name any victims, citing confidentiality agreements.  

Alex Holden, the founder of Hold Security, also noted that the gang used a botnet – a network of compromised computers – and SQL injection commands to make databases give out their information. 

The New York Times also got a security expert unaffiliated with Hold Security to analyze the database of stolen credentials, confirming its authenticity. 

A separate security specialist who reviewed the information but was not allowed to speak publicly told The New York Times that some large companies were aware some of their records had been stolen. 

An article by Kashmir Hill on Forbes, meanwhile, cites a certain incongruence in the reporting, pointing not only to the lack of details in the story, but also to Hold Security offering its own paid service to notify users if their data had been taken. 

Notes the article, “Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up.”

The site description, according to Hill, also says, “In addition to continuous monitoring, we will also check to see if your company has been a victim of the latest CyberVor breach.”  

Hold Security calls the incident the “Cybervor” breach.

Hill points to this incongruence as “a pretty direct link between a panic and a pay-out for a security firm.”

While she does expect security firms to earn revenue from protecting the public, she also is also skeptical about “a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.”

Internet users may want to monitor their computers for a potential security breach or change passwords as needed. At the same time, until more information is made public, there may not be a need for a full security sweep of your digital life. – Rappler.com

Lock on digital screen image via Shutterstock