Because the stolen user names and passwords might be able to access online bank accounts, corporate networks, health records, etc., they’re more of a risk to consumers and companies than even stolen credit card data.
Security expert Alex Holden, who helped uncover the data breach at Adobe where tens of millions of records were stolen, said he believed the 360 million records were taken in separate attacks. In one of those attacks, 105 million records were stolen. If his information is accurate it would make it the largest single credential breach in history. No one knows for sure because the breaches weren’t made public by the companies involved. In fact those companies might not be aware there were breaches until notified by a third party about the attacks.
Holden observed that the difference between the Adobe breach and this one was that Adobe’s records had encrypted passwords whereas these usernames, email addresses and passwords were in plain text.
In his reuters.com article, Jim Finkle reported that the for sale email addresses are “from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations.”
Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.
“They can get access to your actual bank account. That is huge.”
Holden also noted that in addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses. Just imagine all the diet aids, wrinkle cream and male enhancement kits spammers can push with all those addresses.