Your one-stop web resource providing safety and security information to manufacturers

A group of Russian attackers were able to collect 1.2 billion unique credentials from more than 420,000 websites and FTP locations, researchers said.

The group targeted all types of websites from big companies to small ones, said researchers from Milwaukee, WI-based Hold Security.

Solar Companies Under Attack
Details on DDoS Linux Trojan
Energy Sector Alert: Dragonfly Attack
Malware Analysis from ICS-CERT

The total stolen records is 4.5 billion, and apart from credentials consisting of names and passwords, the database also contains more than 500 million email addresses, linked to those credentials.

The company named the gang currently holding all this information CyberVor, “vor” standing for “thief” in Russian.

Schneider Bold

Acquiring the data, which is the largest known collection in history, came through the simplest and common form of attack: SQL injection, researchers said.

However, the operation was a large scale attack from the beginning. After getting some databases with stolen credentials from other hackers on the black market, CyberVor gang used them “to attack email providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems,” the company said a blog post.


The group changed their method at the beginning of the year and got access to information from different botnets scanning the Internet for websites with SQL vulnerabilities.

The infected machines would check for SQL weak spots on every site they accessed, Hold researchers said. The infected systems “conducted possibly the largest security audit ever. Over 400,000 sites ended up identified to be potentially vulnerable to SQL injection flaws alone.”

There is a good chance the amount of valid information amassed by the cybercriminals is lower. With so many online services requesting registration of an account, there are plenty of users that rely on a disposable email address in the process.

Hold Security advises companies to check their websites for SQL injection vulnerabilities, since there is a great possibility that most of them are still susceptible to exploitation.

Pin It on Pinterest

Share This