A cybersecurity company has uncovered a "mind boggling” cache of stolen credentials that was available for sale in the online black markets over the past three weeks.

Around 360 million compromised login credentials and around 1.25 billion email addresses stemming from multiple breaches were obtained by the Internet firm Hold Security LLC.

The email addresses most likely served as usernames and corresponding passwords, though it was unclear what service the account credentials unlocked.

According to Hold Security “these credentials can be stolen directly from your company but also from services in which you and your employees entrust data.”

The firm told Reuters that in its haul the biggest single list yielded 105 million stolen records, which would make it the biggest single data breaches in cybercrime history.

Alex Holden, chief information security officer of Hold Security LLC, in an interview speaking about the latest haul said "The sheer volume is overwhelming."

According to Holden, the credentials were flicked in breaches that have yet to be publicly reported.

He said the firms may not know about the attacks and will remain ignorant about it until they are informed by third parties who find evidence of the hacking.

Holden said he has not furnished the details of the attacks to other online security firms or authorities but intends to alert the companies involved if his staff can identify them.

Meanwhile, a statement posted Tuesday by Hold Security said:

“In the first three weeks of February we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses.

“These mind boggling numbers are not meant to scare you and they are a product of multiple breaches which we are independently investigating. This is a call to action," it added.

The email addresses, Hold Security said, came from major providers like Google, Microsoft and Yahoo. Also many nonprofit organizations and nearly all Fortune 500 companies had been impacted.

The security firm, in fact, last October helped uncover the circulation of 153 million usernames and passwords stolen during a major breach of Adobe"s corporate network.

A month later, Hold Security uncovered 42 million plain text passwords taken during a hack on niche dating service Cupid Media.

Hold Security’s latest haul of 360 million stolen credentials is so huge that it is possible it also came from hacks on poorly secured web service servers that save huge caches of user credentials.

Online users who choose the same password for multiple services are at biggest risk in these kinds of hacking attacks.

Once an attacker gets someone’s email address and password for one site, the data can then be used to compromise every other site account that uses the same username and password.

Hence users are advised to employ a long, randomly generated password which is unique for each individual online account. A much more detailed how-to can be found here.


NBC News: Big data breach: 360 million newly stolen credentials for sale

TOI: World"s biggest cyber attack detected, 360 million accounts, 1.25 billion email addresses hacked