A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites….At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
So far, says the Times, the Russian hackers are mostly using the information “to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.” I guess that counts as good news, all things considered, though obviously 
that could change quickly. Here’s how the Russian gang did it:
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity….Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
I guess I really should get started on my annual password-changing exercise. Or maybe get a password manager, which I’ve resisted so far for reasons that may not really be that compelling. Or, alternatively, just forget the whole thing except for a very few sites that pose a real threat if hacked. I mean, do I really care if someone gets the password to my LA Times account? What good would it do them? Unfortunately, even on a fairly narrow reading of “real threat,” I come up with nearly a couple dozen sites. That’s still a lot of passwords to change.
