Feds Credit a Single Hacker behind Theft of 1.2 Billion Log-In Credentials

As revealed by court documents put forth by the FBI, the authority has identified a single hacker behind the theft of the most comprehensive credentials-hack in history.

1.2 billion stolen web credentials. Millions, possibly hundreds of millions of Facebook and Twitter logins. Over 500 million email address, aside from the stolen credentials. Over 420,000 websites targeted to steal the above details. That’s what amounts to the single largest data theft of user names and passwords.

The court papers were filed by the FBI to secure a search warrant in relation to an investigation into the stolen email records back in December 2014. A month later, the warrant was executed. Now public, the papers were revealed at a federal court in Milwaukee, Wisconsin, reports Reuters.

Also read: Amazon Resets Passwords of Customers’ Accounts; Possible Leak

Investigation into the astounding data theft started soon after Hold Security, a cybersecurity firm, tipped the Feds about a Russia-based hacker group dubbed CyberVor, behind the theft. Further investigation revealed that the group of malicious hackers, or even a single hacker, had advertised the sale of the stolen credentials in forum posts under the name of ‘mr.grey.”


During the investigation, authorities browsing through Russian-speaking hacking forums discovered multiple posts by “mr.grey” who made the claim that he could locate the records of any Facebook-, Twitter- or VK-user (VK is a Russia-specific social network, a Facebook clone). These posts were written back in November 2011.

Also read: Three Charged with Masterminding the Single Largest Financial Cyber-Theft in U.S. History

The FBI also discovered that the theft of 1.2 billion stolen credentials and over 500 million email addresses were already being worked on by malicious attackers. The investigation revealed several lists of domain names and utilities that were likely used to send spam to hundreds of millions of email accounts. With such numbers, it’s an inevitability for a comprehensive spear-phishing operation leading to identity theft or theft of financial records.

An email address registered as early as 2010 was discovered in the spam tools used by the attackers. The court documents revealed it to be “mistergrey.”

It’s entirely likely that “mr.grey” used or had access to an offshore database that swallowed up swarms of stolen data from computers using malware, Trojan malware and viruses, according to Alex Holden, CISO at Hold Security.

Facebook and Twitter could not be immediately reached for a comment at the time of publishing.

Hacked will keep you updated on this story as it develops and more from the court documents are revealed.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.