The internet credentials of some New Zealanders will almost certainly have fallen into the hands of a Russian cyber gang, an online security expert fears.

Hackers have amassed the largest known cache of stolen internet credentials, including 1.2 billion unique user name and password combinations and more than 500 million email addresses, security researchers say.

The large-scale theft was discovered by US-based firm Hold Security, which says the hackers stole information from 420,000 websites.

Read more:
7 steps to stronger, more secure passwords


The thieves, dubbed by the researchers 'CyberVor', using "vor" the Russian word for thief, have targeted not just large companies, but small or even personal websites, Hold Security says.

"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," the group said in a statement posted on its website.

But earlier this year the hackers - based in south central Russia - got access to data from a large group of virus-infected computers controlled by one criminal system to steal the millions of unique sets of e-mails and passwords.

"As long as your data is somewhere on the World Wide Web, you may be affected by this breach," Hold said.

"Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."

Read more:
Japan rushes to thwart cyber onslaught
US banks call for a 'cyber war council'

Hold Security, which identified 360 million stolen credentials trafficked on the black market earlier this year, advised companies to check that their systems can protect from such breaches.

But they warned that the ultimate victims were the end-users.


Cyber safety and security group, NetSafe, was certain that New Zealanders are now at risk.

"With that volume of data, that many accounts, [it] will no doubt involve details that belong to New Zealanders," said NetSafe's chief technology officer Sean Lyons.

"People can then be very exposed, and it's a big concern."

Since many websites often ask for a username and password, or email address and password, they are at risk of the company's data goes astray.

Mr Lyon urged people to be think twice before giving away password and username details.

"They should ask themselves 'Who is this company, how important is it that I give this data, why do they need it, and where do they talk about their ability to safeguard my important personal information?'"