Internet data watchers Hold Security published a post this week revealing that they have found "360 million stolen and abused credentials and 1.25 billion records containing only email addresses." These figures, they added, "are not meant to scare you." Too late.
The security firm explains that they made the discovery in the first weeks of February, and that the data was likely stolen in a number of separate breaches, including one massive theft of 105 million records. Hold Security said that it is investigating independent breaches, and that the disclosure is meant as a "call to action."
Hold Security's chief information security officer Alex Holden told Reuters that he thinks the information was stolen in breaches that affected companies have not yet reported, adding "we have staff working around the clock to identify victims." The breaches could actually be more harmful to victims than credit card theft because passwords could act as an entry point into several private accounts (especially because most people don't actually use different passwords for different accounts). Furthermore, security expert Heather Bearfield warned that money taken from bank accounts with stolen credentials are not necessarily refundable.