Of more than 4.5 billion records possessed by CyberVor, more than 1.2 billion are unique user IDs and passwords.
Of more than 4.5 billion records possessed by CyberVor, more than 1.2 billion are unique user IDs and passwords.

A group of Russian hackers, dubbed “CyberVor,” are sitting on the biggest cache of stolen credentials to date, according to a Tuesday post by Hold Security.

Following seven months of research, Hold Security learned that the CyberVor gang is in possession of 4.5 billion records, the majority of which are credentials. Of those, Hold Security identified 1.2 billion unique pairs of user IDs – mostly email addresses – and passwords.

“If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple passwords corresponding to a single e-mail address,” according to the post, which indicates that not all email addresses are valid.

The compromised credentials come from more than 420,000 web and FTP sites from around the world, the post indicates, adding that the CyberVor gang did not discriminate – large and small organizations across all industries, even personal websites, were impacted.

CyberVor began by accessing underground online markets and obtaining databases of stolen credentials. “These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems,” according to the post.  

Then the campaign took a turn.

CyberVor returned to the underground online markets and gained access to data from botnet networks, according to the post. Then, anytime one of the victims in the botnet went to a website, the group was able to determine if it was vulnerable to SQL injection

SQL injection typically involves an attacker inputting SQL statements into an entry field that will force the system to execute potentially malicious commands, such as, allowing illicit access to a database. As it turns out, more than 400,000 sites were vulnerable, the post indicates.

Most concerning is that people are reusing passwords, Joe Siegrist, CEO and cofounder of LastPass, told SCMagazine.com in a Wednesday email correspondence, explaining that the attackers could use the credentials to target specific individuals or companies, commit identity theft, and spread malware.

“They can also perpetrate credit card fraud, or hold accounts hostage – taking all data, email addresses, [and] social accounts hostage at once,” Siegrist said. “We also could see a domino effect where having so many credentials makes it easier for them to gain more credentials, [since] people reuse the same login information across multiple accounts.”

Hold Security did not respond to a SCMagazine.com request for comment.