It starts with 1.2 billion user name and password combinations. Then it carries on to over 500 million e-mail addresses. These sound like staggering numbers alone, but the picture only gets worse when it's considered just who has these items: a crime ring operating out of Russia. That's the report from Hold Security, who recently made the grim discovery that a substantial quantity of user records are currently in the hands of said crime ring, drawing the information from a combination of records and gathered confidential material.

Hold Security, a company that's well known for spotting major hacking jobs after same have been completed—Hold Security was reportedly the ones who spotted the loss of tens of millions of records taken out of Adobe Systems (News - Alert)' storage back last year—and this newest discovery may be one of the most potentially disastrous yet. Hold Security's find involves confidential material taken from fully 420,000 websites. Just which sites were involved, meanwhile, Hold Security is not as yet saying, because of a combination of nondisclosure agreements and a desire not to tip off other potential hackers to vulnerable sites.

A separate security expert—one not currently affiliated with Hold Security—was brought in by the New York Times to analyze Hold Security's findings, and discovered that, indeed, the database of credentials unearthed was indeed authentic. When a second independent expert was brought in, said expert reported that there were several companies out there aware that information had been stolen, and that said companies' records would be part of this trove.

But it wasn't just major companies involved in this, at last report, and smaller websites were also involved. Worse, it's not the only such hacking that's taken place lately, only just one of the latest such hackings. Back in December, Target lost fully 40 million credit card numbers, along with 70 million pieces of personal information like addresses and phone numbers. But the Hold Security find goes well beyond that, and that's leading some to call for an end to the user name / password security combination.

With the annual Black Hat security conference taking place in Las Vegas this week, it's quite clear that the market for security mechanisms is steadily on the rise, and with good reason. More and more of the activities we used to do in brick-and-mortar settings are now being done online, from video gaming to shopping and well beyond. But these activities are also representing cash on the hoof, and all that moving money is drawing the attention of the criminal element. That's leading to greater numbers of hacking attempts, and—as anyone who's been in sales long enough will note—the more attempts are made, the more likely it is that at least one of these will be a success. What's more, the average value of such a hacking attempt is also on the rise; last year, the average cost to a company for a data breach was $3.1 million. This year, the average is around $3.5 million, or an increase of around 15 percent.

As RAND Corporation security researcher Lillian Ablon put it, “The ability to attack is certainly outpacing the ability to defend.” But what can be done? Some have suggested going to biometric security, perhaps the ultimate in such measures as it commonly requires a thumbprint or a retinal scan to work. Though some of these measures are being shown to work, others still quite clearly have some issues, and that's enough to make some more cautious souls consider more active means to protection.