Hold Security described the hack as the "largest data breach known to date".
It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world".
Hold Security did not give details of the companies affected by the hack.
"They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security said in its report.
"With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."
The New York Times, which first reported the findings
, said that on its request "a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic".
"Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information," the paper said.
The paper added: "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable."
The Wall Street Journal later revealed that Hold Security intended to offer website owners the ability to check whether they had been affected, but only if they paid a fee.
The firm initially posted a message on its site saying it would charge $120 (£71) a month for the "breach notification service", however the details have since been replaced with a message saying "coming soon!".
One computer security expert said he was surprised by this approach.
"This situation is quite unusual in that the company has decided to charge for this information," Dr Steven Murdoch from University College London's computer science department told the BBC.
"Usually they would do an initial disclosure [of who had been affected] for free and then offer their services for a fee at a later stage.
"The company rightly points out that there is going to be a huge amount of work to securely contact all the affected websites, but a common solution to this is to partner with a government or industry-funded organisation to help with that."
Despite the large amount of credentials said to have been compromised, Dr Murdoch added that it would be premature to advise the public to reset all their passwords.
"Although there's a large amount of passwords involved, a lot of them could be irrelevant and many of the websites tiny," he said.
"It's not necessarily the case that a large proportion of internet users have been affected. Until we get more statistics we won't know that.
"So, there's no reason to panic now, but perhaps it's a good reminder to follow best practice of not using the same password on multiple websites, because this will not be the last time such a breach happens."
Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack.
The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market.
"These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," Hold Security said.
The hackers also got access to data from botnets - a network of computers infected with malware to trigger online fraud.
Hold Security said the botnets helped the hacking group - which it dubbed CyberVor - identify more than 400,000 websites that were vulnerable to cyber attacks.
"The CyberVors used these vulnerabilities to steal data from these sites' databases," the firm said.
"To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords."