With the immense hassle Heartbleed caused the computing world, it would have been nice to have been able to go a while without feeling the urge to mass-change our passwords, but thanks to the efforts of a Russian group, that "while" has turned out to be just a couple of months.
According to Hold Security, the same firm that previously exposed Adobe and Target vulnerabilities, a Russian group has collected a staggering 1.2 billion sets of usernames and passwords tied to 500 million email accounts. Hold Security is not naming any of the 420,000 affected websites and services that these credentials involve, but has mentioned that they range anywhere from a mom and pop site to a household name. Soon, the firm will be launching a service that website owners can subscribe to which will let them know if they've been exposed to this and other vulnerabilities.
Hold Security said that the Russian group responsible for this breach originally purchased a database from the black market, and was then used to access user email and social media accounts to distribute malicious software. It's also being noted that botnets have helped the group identify vulnerable websites, which helped to reach that staggering 420,000 number.
On account of the fact that we're not being told which websites and services have been affected, it's hard to truly suggest that anyone should change their passwords - but we'd still highly recommend changing them on websites that hold sensitive information.
It must be said that Hold Security's actions here in not cluing us in better does raise a couple of questions, though - it's drumming this breach up as being the worst we've ever encountered, at the same time it's soon to launch a brand-new breach-detection service. That in itself is no big deal, but according to Forbes, the price listed on the page is not even accurate. It says $120/mo, but company founder Alex Holden has since said that the final price will be $10/mo, and $120/yr. The Breach Notification Service page has since been unchanged to reflect that, however.
Nonetheless, all we can recommend at this point is adhere to good password practices, and if you're at all concerned with having been affected, it sure won't hurt anything to go and change all of your passwords.