A hacker going by the name of "mr.grey" might have been at least a participant in, if not the mastermind behind, the creation of the world's largest stolen login credentials database. A Reuters report yesterday says unsealed court documents released this past week in Milwaukee show that while investigating the massive collection, which contained details on 1.2 billion accounts, FBI agents reportedly uncovered a list of domain names and utilities the attackers used to send spam. Buried in those findings was an email address registered in 2010 to a "mistergrey." Armed with a lead, agents scoured Russian hacking forums for posts authored by that same username. One from 2011 caught their attention: an advertisement for account information for Facebook, Twitter and Russian social network VK users. Alex Holden, CISO at Hold Security — the firm that discovered the credential database — told Reuters this likely indicated the hacker either created or was able to access the stolen data.

When The New York Times broke news of the data collection in August 2014, it billed it as "the biggest hack ever." This wasn’t totally the case. CyberVor, the alleged group behind the database, likely got its data from hundreds of thousands of breaches over many months, and it allegedly began its collection by buying information from prior hacks; it still remains unclear how many of the stolen credentials the group actually compromised itself, especially considering it preferred SQL injection, a relatively common technique, as its primary attack tool. A Fortune 500 company, many of whom had users compromised, would likely protect itself against this kind of attack. At the time of its outing, CyberVor wasn’t selling the data or using it to steal money. Instead, it was using it for Twitter spam.