A security firm says it has found 360 million login credentials, mostly with unencrypted passwords, on black-market websites frequented by online criminals.
Alex Holden, chief information security officer of Milwaukee-based Hold Security, told Reuters Tuesday (Feb. 25) that the credentials — username and password pairs —came from multiple data breaches and were collected during the first three weeks of February.
"The sheer volume is overwhelming," Holden told Reuters.
One set of 105 million credentials came from a single data breach, Holden said, which would make it one of the larger breaches yet discovered. He did not say which organizations might have been breached.
Asked Tuesday at the RSA security conference in San Francisco about the figure of 360 million currently available stolen login credentials, security blogger Brian Krebs replied, "There's probably a lot more than that."
Krebs, who sits on Hold Security's advisory board, broke the news of the recent Target data breach and investigates online forums where stolen data is bought and sold.
Holden told Reuters he suspects many of the credentials come from breaches as yet undisclosed. The email addresses are from major Webmail providers such as Google, Microsoft, AOL and Yahoo, as well as many corporations.
It's not clear how long the credentials have been available in the criminal markets, or for how much they are being sold.
Security experts advise users to never replicate passwords from one account to another, because otherwise a single data breach can lead to break-ins on other services.