According to a report by The New York Times, the breach was discovered by Hold Security, a cyber security company based in Milwaukee, Wisconsin. Due to nondisclosure agreements, the company said they can't release any information about parties who have had their login information stolen, nor can they share names of any of the websites that have been hacked.
"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," Alex Holden, Hold Security's founder and chief information security officer, told the Times. "And most of these sites are still vulnerable."
Hold Security says the passwords were swiped by young Russians working out of a small town in the country's south central region, near Kazakhstan and Mongolia. The info has yet to be sold to other criminals; stolen online info is often traded like currency. Hold Security believes the info is currently being used to spam users on Twitter.
Major companies and cyber security experts are increasingly several few steps behind hackers, many of them operating out of Eastern Europe. In the last several months, companies like Target and eBay have had large chunks of protected info stolen -- including credit card numbers -- leaving many of their users vulnerable.