Hold Security declined to identify the sites that were breached, citing non-disclosure agreements and concerns that they remained vulnerable to attack, the paper reported on its website.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable,” the New York Times quoted Alex Holden, the founder of Hold Security, as saying.
Reuters could not independently confirm the details of the report.
Dmitri Alperovitch, chief technology officer of the cybersecurity firm CrowdStrike told Reuters that the stolen passwords could be used to access other accounts beyond the ones on sites that were breached because people commonly use the same passwords for multiple sites.
“A compromise like this could mushroom,” said Alperovitch.
Hold Security in February said it had uncovered stolen credentials from some 360 million accounts that were available for sale on cyber black markets.