A Russian cyber gang has reportedly stolen 1.2 billion online user names and passwords by raiding 420,000 FTP and web sites, US security researchers have revealed.
The team from Hold Security claim the haul could constitute the largest known data breach to date, and has warned end users that the consequences of it are likely to be far-reaching.
"Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach," the company said in a blog post.
The only real way of targeting this problem is to not use email addresses as logins.
"Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."
The company has also been credited in the past with uncovering the Adobe Software data breach in October 2013, as well as the Target breach in December 2013.
The researchers have dubbed the gang in possession of the data "CyberVor" and claims they amassed their database of stolen usernames and passwords by acquiring them from fellow hackers on the black market.
Once in possession of these databases, the group are understood to have used to them to attack email providers and social media sites to distribute spam and install malicious redirections on legitimate sites.
"Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks. These used victims' systems to identify SQL vulnerabilities on the sites they visited...[and] conducted the largest security audit ever," the blog continues.
"Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors uses these vulnerabilities to steal data from these sites' databases."
Mark James, security specialist at anti-virus firm ESET, said the techniques employed by the gang suggest they're a "very organised" group of individuals.
"The only real way of targeting this problem is to not use email addresses as logins," he said.
"Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites."
And, to prevent others from being caught out by similar attacks, James reiterated the importance of using multiple passwords to access internet services.
"Do not reuse the same password anywhere, make small, simple changes that can be easily remembered by yourself and don't use dictionary words in your password.
"Even adding one or two random characters into a dictionary word can throw a brute force word search off course," James concluded.
