Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins

A Russian crime ring has swiped more than a billion unique username-password combinations, plus a half-million email addresses.

A Russian crime ring has amassed a
gargantuan database
of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.
According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.
Whats puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. Theyre merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.
At this stage of the game, using passwords for security is simply table stakes, David Rockvam, vice president of product management and marketing communications for Entrust, told us. In order to truly protect our personal and financial information, second-factor authentication is a necessity.
Some companies are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches, said Jay Kaplan, CEO of Synack. In fact, its likely that most of them do not even realize how many times theyve been compromised, as its very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks.
Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight, said John Prisco, CEO of Triumfant, but in reality... crime rings have been stealing information for years. Theyve just been doing it undetected, because there hasnt been a concerted effort on the part of companies entrusted with this information to protect it. Vendors havent delivered a truly defensive product until recently. For so many years, weve relied on antivirus, which just doesnt work. Vendors are in a transition period where the most effective products are not yet widely deployed.
Hold Securitys researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins