"To help our customers we tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if you count our Adobe find). But this month, we exceeded all expectations! In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses," said the company in a statement yesterday.
Alex Holden, chief information security officer of Hold Security LLC, told Reuters that he believes that the 360 million credentials come from multiple breaches that have not yet been publicly reported, and might not even have been discovered by the victims. "We have staff working around the clock to identify the victims," he said. One of the breaches accounts for 105 million credentials on its own.
Worryingly, many of the passwords paired with user names (usually an email address) are in plaintext. This, say experts, is even more dangerous for the victims than the theft of bank card details, where the victims have at least some redress via the banks. "They can get access to your actual bank account. That is huge," said Heather Bearfield of Marcum LLP. "That is not necessarily recoverable funds."
The sheer volume of data stolen suggests that it comes from major heists and not botnets stealing from individual users. Who they are, however, remains unknown. "The volume of data collected is 'a sign that hackers are switching their tactics,' focusing on large stores of data such as those held by companies rather than targeting individual users," suggests CIO.
The greater number of collected email addresses is less immediately worrying, but coupled with the source from where they were stolen could leave users more open to phishing, spam and scam attacks. "Those who are unemployed and using job sites could be more vulnerable to spam and phishing schemes since they are more likely to respond to offers or to emails from people they don't know," adds CIO.
The email addresses come from the major providers such as AOL, Google, Microsoft and Yahoo, but also include almost all of the Fortune 500 companies and nonprofit organizations. "Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement," says Reuters.