Hundreds of millions of hacked usernames and passwords of email accounts, including those from Google, Yahoo and Microsoft are being traded in Russia’s criminal underworld, Alex Holden, founder and chief information security officer of Hold Security, a security expert is reported to have told Reuters.
Described to be one of the biggest stashes of stolen credentials to be uncovered since cyberattacks hit major US banks and retailers two years ago, the discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and other email users, has sent shock waves across the world.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.
Yahoo Mail credentials numbered 40 million, or 15 per cent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 per cent, were Microsoft Hotmail accounts and 9 per cent, or nearly 24 million, were Gmail, according to Holden. Thousands of other stolen username/password combinations appear to belong to employees of some of the largest US banking, manufacturing and retail companies, he said.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts – a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world’s three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers. “This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden, the former chief security officer at US brokerage RW Baird. “These credentials can be abused multiple times,” he said.
As per reports, Holden was previously instrumental in uncovering some of the world’s biggest known data breaches, affecting tens of millions of users at Adobe Systems, JPMorgan and Target and exposing them to subsequent cyber crimes.
Mysteriously, the hacker asked just 50 Roubles — less than $1 — for the entire trove, but gave up the dataset after Hold researchers agreed to post favorable comments about him in hacker forums, Holden said. He said his company’s policy is to refuse to pay for stolen data.
Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.
Hackers know users cling to favorite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user. After being informed of the potential breach of email credentials, Mail.ru Mail.ru said in a statement emailed to Reuters: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active.
A Microsoft spokesman said stolen online credentials was an unfortunate reality. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.” Stolen online account credentials are to blame for 22 per cent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.