How Gang of Russian Cyber-Criminals Stole 1.2 Billion Usernames and Passwords in Just Four Months

A Russian cyber-criminal gang using relatively unsophisticated methods has managed to amass over one billion username and password credentials and compromise more than 500 million email addresses in the space of just four months.

The breach was revealed by Hold Security, which has been monitoring the activity of the small group of Russian criminals for some time - and has even used its contacts within the hacking community to communicate with them.

While Hold Security has not revealed which services and websites have been affected - as many are still vulnerable - it has revealed details of just how easy it was for the gang of less than a dozen men in their 20s from a small city in south central Russia to steal vast quantities of data.

"Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," Alex Holden, founder and chief information security officer of Hold Security, told the New York Times. "And most of these sites are still vulnerable."

The criminals have not sold many of the records so far, but have instead been observed using them to send spam messages on social networks like Twitter and Facebook for other groups, collecting a fee for doing so.

Gone phishing

The group started out in 2011 as amateur spammers, buying up databases of stolen credentials on underground forums frequented by cyber-criminals.

However in April of this year the gang changed their approach and accelerated the collection of data to an almost unprecedented level.

Using the credentials from stolen databases, the criminals sent out phishing emails which lured victims into clicking on a malicious link or downloading a malicious file - both of which would see the victim's computer become infected with malware.

This malware allowed the criminals to create a botnet, a network of zombie computers which would do whatever those who controlled it commanded.

Whenever the infected systems visited a website, the malware would scan the website to see if it was vulnerable to a well-known attack called an SQL injection attack.

"Auditing the internet"

An SQL injection attack sees the attackers query a website with a string of code to see if it will return the contents of a database linked to that website - with these databases typically containing usernames and passwords.

If the website is vulnerable then it is marked and reported to the criminals who return to harvest the data.

Holden equated the technique to "auditing the internet".

Using this technique the gang were able to collect 4.5 billion username and password combinations within just four months. However many of these overlapped and having sifted through the records, Hold Security estimates that there were 1.2 billion unique records stolen.

Hold Security has not revealed the names of any of the affected websites but has said that everyone from major online services to small, independent websites have been targeted.

The security company has tried to inform all companies of the breach but has not been able to contact all the websites prior to making the breach public.