A cybersecurity firm on Tuesday revealed that it has access to 360 million stolen account credentials that are available for sale on cyber black markets.
The stolen account credentials discovery could pose a greater threat to consumers and companies – even more than stolen credit card data as the sets of usernames and passwords could allow perpetrators to operate users’ bank accounts, corporate networks, health records and virtually any other type of computer system.
The security firm obtained the credentials — username and password pairs during the first three weeks of February, while studying underground forums where stolen data is for sale said Alex Holden, chief information security officer of the Wisconsin-based Hold Security LLC.
This means that an unprecedented amount of stolen credentials has been collected through multiple data breaches and is available for sale underground, Alex said. “The sheer volume is overwhelming.”
One set of 105 million credentials, discovered about 10 days ago by the company, came from a single data breach making it the largest breach ever, Holden said. However, it isn’t yet clear what Web services the credentials unlock.
“We don’t know who has been breached,” Holden said. “Ultimately, we are trying to figure out who the players are.”
The email addresses are from major Webmail providers such as Google, Microsoft, Yahoo, AOL as well as many other corporations. For how long the credentials have been available in the criminal markets still remains a secret.
Users have been advised by security experts to never replicate their passwords from one account to another as a single data breach could possibly lead to break-ins on other services as well.