A Russian gang has amassed the world’s biggest collection of stolen user names and passwords. Online security research firm Hold Security told The New York Times that the Russian gang has a collection of 1.2 billion user name and password combinations. That means the gang can access Internet credentials of those 1.2 billion users. What’s more, it also has captured over 500 million email addresses.

Russian Passwords

Even Fortune 500 companies fell victims to Russian hackers

Milwaukee-based Hold Security said the records, including confidential material, were collected from more than 420,000 websites. Websites affected include small Internet sites as well as household names. Hold Security has a strong track record of uncovering major hacks. Last year, the security specialist was the first to report that millions of users accounts at Adobe Systems Incorporated (NASDAQ:ADBE) were compromised.

Hold Security declined to name victims, citing non-disclosure agreements (NDAs). The New York Times contacted another security expert not affiliated to Hold Security to analyse the database of stolen user credentials. This expert confirmed that the database was authentic. Another security experts said that some of the world’s largest Internet companies knew that their records were among the stolen credentials.

Alex Holden, founder of Hold Security, said that hackers didn’t just target U.S. firms. Their targets range from small websites to Fortune 500 companies. What’s surprising is that most of these sites are still vulnerable. Businesses increasingly find it difficult to keep user information out of the hands of thieves. In December 2013, 40 million credit card numbers and personal information of more than 70 million users were stolen from Target Corporation (NYSE:TGT).

No connection between the hackers and Russian government

In October 2013, federal prosecutors said a hacker group in Vietnam had obtained more than 200 million personal records including credit card numbers, Social Security numbers and back account details from a company called Court Ventures. But the latest discovery has dwarfed almost every security breach in the past. Internet security experts have called for improvements in online identity protection.

Hold Security saw no connection between the hacker gang and the Russian government. Even Russian websites fell victims to this crime gang, said Mr. Holden. However, the Russian hackers haven’t sold many of those records so far. They are mostly using the stolen database to send spam on behalf of other groups while charging fees for their work.