Russian “CyberVor” gang bought details off black market and used botnets.
A Russian gang has collected what may be the largest archive of login details in existence, according to Hold Security.
4.5 billion records are thought to have been pooled by the gang, dubbed CyberVor by the security firm, of which 1.2 billion are thought to be unique.
Hold said: "The CyberVors did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited.
"With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."
The hackers are thought to have used a number of methods to collate the credentials, initially buying it directly off the black market and later harvesting it themselves through botnets exploiting SQL vulnerabilities to target more than 400,000 websites.
"If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address," Hold said.
Not all credentials are thought to be valid or active, and the firm speculated that some of the email addresses collected were fake.
James Mullock, partner at law firm Osborne Clarke, said: "An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations.
"There is currently little legislative guidance regulating how that process should operate and it appears ripe for review."