"Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," the group said in a statement posted on its website.
But earlier this year the hackers - based in south central Russia - got access to data from a large group of virus-infected computers controlled by one criminal system to steal the millions of unique sets of e-mails and passwords.
"As long as your data is somewhere on the World Wide Web, you may be affected by this breach," Hold said.
"Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."
Read more:
• Japan rushes to thwart cyber onslaught
• US banks call for a 'cyber war council'
Hold Security, which identified 360 million stolen credentials trafficked on the black market earlier this year, advised companies to check that their systems can protect from such breaches.
But they warned that the ultimate victims were the end-users.
Cyber safety and security group, NetSafe, was certain that New Zealanders are now at risk.
"With that volume of data, that many accounts, [it] will no doubt involve details that belong to New Zealanders," said NetSafe's chief technology officer Sean Lyons.
"People can then be very exposed, and it's a big concern."
Since many websites often ask for a username and password, or email address and password, they are at risk of the company's data goes astray.
Mr Lyon urged people to be think twice before giving away password and username details.
"They should ask themselves 'Who is this company, how important is it that I give this data, why do they need it, and where do they talk about their ability to safeguard my important personal information?'"
