Russian criminals have stolen 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history, a respected security firm said Tuesday.
The news was first reported by The New York Times, which cited research from Milwaukee-based Hold Security. The firm didn't reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing vulnerabilities from being more widely exploited.
Hold Security founder Alex Holden told CNNMoney that the trove includes credentials gathered from over 420,000 websites - both smaller sites as well as "household names." The criminals didn't breach any major email providers, he said.
Holden said the gang makes its money by sending out spam for bogus products like weight-loss pills, and had apparently amassed its collection of digital credentials for that relatively innocuous purpose.
"It's really not that impactful to the individuals, and that's why they were under the radar for so long," Holden said. "They've ignored financial information almost completely."
But Holden said the gang's success at amassing passwords demonstrates that weak security procedures are common on websites of all sizes.
We'll have the latest information for you on "Early Start" at 5am ET.
MORE on CNN MONEY
Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web - the one that keeps your email, banking, shopping, passwords and communications private.
What is it?
It's called the Heartbleed bug, and it is essentially an information leak.
It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.
"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare. "If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won't surprise me."
What does it do?
For more than two years now, Heartbleed has allowed outsiders to peek into the personal information that was supposed to be protected from snoopers.
The bug allows potential hackers to take advantage of a feature that computers use to see if they're still online, known as a "heartbeat extension." But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory.
At the very least, Heartbleed exposes your usernames and passwords. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you - no passwords required. And it allows attackers to pose as a real website and dupe you into giving up your personal details.
Making matters worse, the Heartbleed bug leaves no traces - you may never know when or if you've been hacked.
"You could watch traffic go back and forth," said Wayne Jackson III, CEO of open source software company Sonatype. "This is a big deal. When you think about the consequences of having visibility into Amazon and Yahoo, that's pretty scary."
For more on this story, see CNN Money.