'Treasure trove' of personal details found By Kevin Rawlinson

BBC News Published duration 26 February 2014

image caption The batch could be used to launch email scams and crack into online accounts, experts said

A "treasure trove" of stolen personal details has been found on sale on black market websites, a security firm says.

About 360 million account credentials including email addresses and passwords were reportedly uncovered.

Hold Security said it had also found 1.25 billion email addresses without passwords.

It is unknown where the credentials, which were found in the past three weeks, came from - but the company said they included major email providers.

Experts said that the batch was exceptionally large in size. "It is Godzilla-sized, it is a monster," said online security consultant Graham Cluley.

He added: "There may be some duplicates but, even so, it sounds like a complete treasure trove for cybercriminals."

Hold Security said that its findings were the result of "multiple breaches which we are independently investigating".

'Mind boggling'

In a post on its website, it said: "In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses.

It called the numbers "mind boggling" and said the disclosure represented a "call to action" over online security.

According to Mr Cluley, the details could be used to access not only the accounts they are directly associated with, but potentially others.

"What normally comes out is not only spam and phishing attacks, but also that the combination of email and password can be used in multiple places because people use the same ones across different sites," he said.

Mr Cluley added: "If people have a big database of passwords, they use it to find out what the regular ones are. The next time they want to crack into an account, they can use the most common passwords."

And Reuters reported concerns that the discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Spamming and phishing

Alex Holden, chief information security officer of Hold Security, told the agency: "The sheer volume is overwhelming."

He said the credentials had been stolen in breaches yet to be publicly reported. The companies attacked could remain unaware until they were notified by third parties who found evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.