The New York Times has a doozy of a security report today detailing what’s believed to be the largest collection of Internet identity theft. Based on research from security firm Hold Security, a Russian gang has compromised 420,000 websites in order to collect roughly 540 million unique email addresses.

To make matters worse, most of the affected websites still remain vulnerable, according to the Hold Security founder Alex Holden. A Times source did say that “some big companies” have been informed that their data is among the trove.

The criminal group is suspected of using the information to post spam to social networks. The gang is believed to be composed of “fewer than a dozen men in their 20s who know one another personally.”

The scale of data breaches has escalated at an alarming rate. Late last year, Target went public with a data breach that affected 40 million credit card accounts.

Russian Gang Said to Amass More Than a Billion Stolen Internet Credentials

Image credit: Simon Bratt / Shutterstock