If there's one thing everyone should remember about the internet, it's that your data is never truly safe.

Case in point: a Russian cyber gang has made off with around 1.2 billion username and password combos and 542 million email addresses, Hold Security researchers told The New York Times. The publication noted this is the largest collection of stolen internet credentials yet known.

These credentials were reportedly gathered using botnets and SQL injections from around 420,000 different websites, ranging from the very large and to fairly small. The security firm won't name these sites, in part because of nondisclosure agreements, but it has begun alerting them.

The hackers, based in a small city in south central Russia, so far have not sold most of the stolen information, but they are posting spam to social networks in service of other groups.

Hold on for dear life

Hold Security last year discovered a similar heist, with tens of millions of records stolen from Adobe. Apparently they have a solid track record.

Just to be sure, though, the NYT had a third party analyze the data to confirm the researchers' claims.

Meanwhile many of the affected sites remain "vulnerable," Hold Security founder and Chief Information Security Officer Alex Holden said.

Let's just hope we don't have another Target hack fiasco on our hands. The real question is, when will the sites start alerting users?