A Russian hacking gang holds "the largest cache of stolen data" yet seen by cyber security experts, according to a new report and warning by Hold Security.
According to the report, the group, which doesn't actually have a name but Hold is calling "CyberVor", has amassed around 4.5 billion records of internet users, which mostly consist of stolen credentials, with some 1.2 billion of these consisting of completely unique credentials belonging to "over half a billion email addresses".
To rack up such a hoard, Hold believes CyberVor must have "robbed over 420,000 web and FTP sites".
Hold believes CyberVor began its mass-collecting spree by buying stolen credentials from other hacking groups who had acquired the data from botnets, but quickly escalated to using more advanced botnets to carry out raids via SQL injection flaws on websites all over the world, "eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of emails and passwords", confirmed Hold.
Geoff Webb, senior director of solution strategy at NetIQ, has said the discovery "signals [that] we are reaching the end of the usable lifespan of the username/password combination for security".
But Mark James, a security specialist at ESET, said the way to get round such problems in future is to "not use email addresses as logins" anymore.
"Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re-use the same password anywhere, make small simple changes that can be easily remembered by yourself and don't use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course."
Tom Burton, a director at KPMG's cyber security practice, said he believes entirely new protection methods will need to be devised.
"The next step will be the rise of consumer-driven 'two factor authentication' using physical devices such as mobile phones to provide unique codes for each access - akin to one-time pads used by spies during the Cold War," he said.