Hold Security announced the breach on their website Tuesday after working for months to discover the extent of the breach. In July, Hold counted 4.5 billion username and password combinations stolen by the gang and found 1.2 billion of those records were unique.
The gang does not have a name but was dubbed CyberVor by Hold Security -- "vor" means "thief" in Russian -- and is comprised of men in their twenties based in south central Russia near Mongolia and Kazakhstan. They are not affiliated with the Russian government but the government is known for not pursuing hackers.
The group hasn't sold many of the credentials, rather they are using them to spam companies' social media accounts for third parties for a fee. They started out in 2011 as spammers selling the information on the black market. Since then, they have picked up more hacking skills and tools to intensify their efforts. Russian hackers typically steal usernames and passwords and then apply them to various websites to see what personal data they may contain, including social security numbers which can be used for identity theft.
Hold Security would not name the victims as they have a nondisclosure agreement but an independent security analyst consulted by The New York Times verified the database as legitimate, with 420,000 websites affected.
"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," said founder and chief information security officer for Hold Security Alex Holden. "And most of these sites are still vulnerable."
Hold Security is continuing to reach out to the companies and is working on a secure database where people can check whether their information was compromised.