Russian hackers steal billions of web passwords

Published: .
Updated: .
In what could become a major electronic security crisis, Russian hackers may have stolen more than a billion passwords.

The hackers grabbed 4.5 billion usernames and passwords, weeded out duplicates and held onto 1.2 billion.

Web users at a California cafe fear the bad guys have their information.

"I work in financial services and it's a nightmare what's going on," said Beth Solomon.

The breach was revealed by Hold Security, which says the Russian hackers pushed spying programs to PCs worldwide, so when users logged onto sites, the hackers were sent their passwords.

"My entire account was wiped out, about $1,000," said Jeremy Beal, whose PayPal account was hacked. "My password was stolen."

But that doesn't mean he necessarily learned his lesson about changing his password frequently.

"No, I still don't change them all the time," Beal said.

Most people don't and experts say manually changing passwords might not work anymore.

"We're like amateurs playing against the NFL here," said Larry Clinton, president of Internet Security Alliance.

Clinton, a web security expert, says hackers also use automatic programs to get login info.

"So even if you have a very complicated password, they're going to run through a billion variations and eventually, they'll trip upon it. You need to combat this with an equally-automated system of defense," he said.

Websites like LastPass, KeePass, Dashlane and others can generate and store complex passwords - daily, if you like - you log in through their site. That helps you stay safer from the super hackers, but still not immune.

The next step could be double authentication - a password and, say, a retinal scan or thumbprint. It's costly and less convenient, but there is pressure on the large sites like Gmail and Amazon to make the switch.

So far, experts say the hackers are not selling the stolen information on the lack market, but are just using it to send spam. You can also stop hackers from getting your accounts by changing your username and that it doesn't always have to be your password you change.