‘Staggering’ data breach of 1.2B usernames and passwords could worsen: Expert

The massive data breach revealed this week could be even worse than initially feared, warns a cybersecurity expert.

Citing records discovered by security specialist Hold Security, The New York Times reported on Tuesday that a Russian crime ring has managed to gain access to more than a billion stolen Internet credentials. The stolen credentials include 1.2 billion password and username combinations and more than 500 million email addresses, according to Hold Security, which describes the breach as potentially the largest ever.

This, however, could be just the tip of the iceberg, according to Richard Martinez, a Minneapolis-based cybersecurity and privacy attorney with Robins, Kaplan, Miller & Ciresi. “The potential target zone of companies that are affected by this is much larger than the ones initially impacted by the breach,” he told FoxNews.com.

Martinez explained that, with many consumers re-using their passwords, hackers could potentially access data from even more companies and organizations. “As staggering as the scale of this is right now, it may well be much larger.”

Hold Security identified 1.2 billion “unique” stolen credentials consisting of both a username and a password.  However, the Milwaukee-based security specialist says that the gang amassed a total of 4.5 billion records, stolen from more than 420,000 web and File Transfer Protocol (FTP) sites.

Hold Security, in a statement on its website, explained: “4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your email address and, let’s face it, almost everyone re-uses their passwords.”

“The sheer number of credentials can potentially open a door to many systems and accounts,” the statement reads.

Citing nondisclosure agreements and a reluctance to identify companies still at risk, Hold Security has not named the victims of the hack, or revealed the number of organizations affected. However, the breach is wide-ranging, according to the security specialist. “With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” it said.

Hold Security has an impressive track record targeting hackers, most notably when it identified 153 million credentials stolen from Adobe Systems last year.

The latest discovery followed more than seven months of research. Hold Security dubbed the gang, which did not have a name, “CyberVor” after “vor” the Russian word for thief.

Martinez described the heist as “another alarm going off” for consumers still reeling from high-profile data breaches at the likes of Target and StubHub. Consumers, he added, need to think seriously about password security.

“Refreshing the passwords is critical, not relying on the same passwords across sites is critical,” he said. “At a minimum, the sites that you rank as critical such as your bank, your bills, need unique and distinct passwords.”

Government and law enforcement should also take notice, according to the lawyer. “They have a critical role in this -- they need to redouble their efforts to shut down the criminal networks that are both hackers and creating a marketplace for these credentials,” he explained. “Ultimately, our economic stability is dependent on security within digital networks.”

Hold Security was not available for comment on this story.

Follow James Rogers on Twitter @jamesjrogers