A gang of Russian hackers appears to have amassed a stockpile of 1.2 billion usernames and passwords as its members roamed the Internet targeting online users, according to a new report from a private security company.

Based on the number of unique email addresses, the hackers appear to have collected data on more than half a billion people, the company Hold Security claims.

The firm, founded last year in Milwaukee,  isn’t naming the hackers, any of the victims or how it obtained the data. For a fee, the company said it offers “breach notification services” for website operators that they can use to see if they’re affected and monitor for ongoing threats, according to its website.

In an email, Alex Holden, the founder and chief information security officer of Hold Security, said he wanted to “avoid discussing details about the hackers whereabouts and names in case law enforcement has an ongoing investigation.”

Mr. Holden said the company is charging fees to recoup costs of verifying website ownership and “prove to them that we are the ‘good guys.’ Believe it or not, it is a hard and often thankless task.”

Security companies often obtain hacker data by infiltrating secret forums and sometimes buy samples of stolen data to see who has been affected. Other times they can gain access to a cybercriminal’s server.

Security experts say this collection of usernames and passwords is impressive in size and points to a trend in recent years where cybercriminals amass web  credentials for later use.

Those experts say breaches involving usernames and passwords are dangerous for consumers, who frequently use the same credentials for multiple sites. For instance, after hackers robbed customer credentials from Adobe last fall, Facebook FB -1.13% later discovered that some of its users employed the same username and password combination on their Facebook accounts.

“It doesn’t really matter which websites they get passwords from,” said Avivah Litan, a security analyst at Gartner. Litan said the type of theft Hold Security says it has documented has been going on “for a long time,” but said the number of records affected in this instance is notable.

In this case, Hold says the hackers hit some 420,000 Web addresses for both large and small sites. The list of affected sites “includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” the company says on its website.

The New York Times, which first reported on Hold Security’s findings, said the criminals are so far using the data for sending spam on social-media accounts.