A Wisconsin security firm claims that a Russian criminal group has accumulated the largest known collection of stolen online usernames and passwords via SQL injections, according to a new report in The New York Times on Tuesday.
Hold Security, which did not immediately respond to Ars’ request for comment, apparently has 1.2 billion usernames and passwords across 420,000 sites. It declined to tell The Times which companies were affected, nor name the group specifically.
In February 2014, Hold Security also discovered 360 million compromised login credentials for sale in underground crime forums. The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches. In October 2013, the same firm discovered the circulation of 153 million user names and passwords stolen during a massive breach of Adobe's corporate network. A month later, the security firm uncovered 42 million plaintext passwords taken during a hack on niche dating service Cupid Media.