Russian hacker mob accumulated the largest known collection of emails, passwords and usernames, with the haul consisting of 1.2 billion username and password combinations, along with over half a billion email addresses.

TK Keanini, CTO at Lancope: “There is a glutton of credentials always floating around the black market and because of this fact, security professionals need more than just traditional detection signatures looking for exploits and attacks because the adversary is just going to login to your network normally.  In particular, defenders need anomaly detection methods as it is the only way to discovery this abuse in its early stages”.

Mark Bower,  VP at Voltage Security: “This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale. Yet more evidence the bad guys are winning big at consumers’ expense who will foot the bill for this in the end like a hidden tax. Clearly it’s time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”

Michael Sutton, VP of security research at Zscaler: “With 420,000 sites infected, it will be impossible to work with all of the impacted companies and ensure that the vulnerabilities that led to the breaches are ultimately patched. Many will remain vulnerable for some time, if not indefinitely. The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks. This is yet another warning of the dangers of using the same credentials on multiple sites. Consumers should assume that sites they trust will be breached at some point. If they use different credentials on all sites, at least they can limit the damage. Fortunately, there are many tools/services available so that users don't have to remember dozens of different passwords.”