A security company has claimed detection of one of the biggest data breaches in history, with Russian attackers having made off with more than 1.2 billion unique credentials - but is being coy with details.
In an announcement made late last night, Hold Security claimed to have uncovered evidence over the past 18 months of a gang of criminals operating out of Russia. Dubbed 'CyberVor' - 'vor' being Russian for 'thief' - by the company, the gang is claimed to have stolen 1.2 billion unique credentials from around 420,000 infected websites. These credentials, the company claims, are linked to half a billion email addresses - making it one of the biggest data breaches in recorded history.
'Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach,
' the company warned in its announcement
. 'Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.
Sadly for anyone alarmed by the company's rhetoric, details of the sites affected are not being made public. Instead, Hold Security is pushing users to register for its Identity Protection Service
, a subscription-bearing service with a free 30-day trial. Businesses, too, are pointed towards the company's paid-for monitoring and notification services. The timing of the announcement to coincide with the launch of such monitoring services has not gone unnoticed, and has led some - including Forbes
journalist Kashmir Hill - to question the validity of the company's claims.
The nature of the Identity Protection Service is also intriguing: those who register are asked to provide email addresses, which are purportedly checked against the database of credentials from CyberVor. If there's a match, Hold Security then asks users to submit their passwords for direct match checking. Despite assurances that said passwords are strongly encrypted at the client side, this encryption could be easily reversed by the company - and would have to be, if any of the stolen data is hashed and salted.