'Treasure trove' of personal details found

A keyboard secured with a padlock The batch could be used to launch email scams and crack into online accounts, experts said

Related Stories

A "treasure trove" of stolen personal details has been found on sale on black market websites, a security firm says.

About 360 million account credentials including email addresses and passwords were reportedly uncovered.

Hold Security said it had also found 1.25 billion email addresses without passwords.

It is unknown where the credentials, which were found in the past three weeks, came from - but the company said they included major email providers.

Experts said that the batch was exceptionally large in size. "It is Godzilla-sized, it is a monster," said online security consultant Graham Cluley.

He added: "There may be some duplicates but, even so, it sounds like a complete treasure trove for cybercriminals."

Hold Security said that its findings were the result of "multiple breaches which we are independently investigating".

'Mind boggling'

In a post on its website, it said: "In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses.

It called the numbers "mind boggling" and said the disclosure represented a "call to action" over online security.

According to Mr Cluley, the details could be used to access not only the accounts they are directly associated with, but potentially others.

"What normally comes out is not only spam and phishing attacks, but also that the combination of email and password can be used in multiple places because people use the same ones across different sites," he said.

Mr Cluley added: "If people have a big database of passwords, they use it to find out what the regular ones are. The next time they want to crack into an account, they can use the most common passwords."

And Reuters reported concerns that the discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Spamming and phishing

Alex Holden, chief information security officer of Hold Security, told the agency: "The sheer volume is overwhelming."

He said the credentials had been stolen in breaches yet to be publicly reported. The companies attacked could remain unaware until they were notified by third parties who found evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.

The batch also included email addresses not paired with passwords, which would be of use to people intending to launch spamming and phishing attacks.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Getty Images)

How movie dinosaurs lied to us

What’s wrong with cinema’s monster lizards Read more...

Programmes

  • A bird of prey in a Tokyo animal cafeThe Travel Show Watch

    From cats to rabbits and birds of prey – Tokyo’s flourishing animal cafe scene

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.