The usernames and passwords for over 270 million hacked email accounts are being traded on Russia’s black market.
One security expert warns that while most of them are Mail.ru accounts for Russia’s most popular email service, tens of millions of them belong to Gmail, Microsoft, and Yahoo Mail users.
“It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago,” reports Reuters, citing Alex Holden, founder and chief information security officer at Hold Security.
Hold Security’s discovery came after researches stumbled across a young Russian hacker who bragged about collecting stolen email credentials in a Russian forum. He claimed to have over 1.17 billion to giveaway, but the actual figure — without duplicates — was a lot less.
Almost 57 million of them belonged to Mail.ru users, and when you consider the service has 64 million active users in total, it seems the vast majority are effected. And those in Russia aren’t they only ones at risk, Holden warns.
The hacker’s list also contained nearly 24 million login credentials for Gmail, 33 million for Microsoft Hotmail, and 40 million for Yahoo Mail accounts around the world — plus hundreds of thousands belonging to those who use German and Chinese mail providers.
The scariest bit? The hacker was selling them all for just 50 roubles, which is less than $1. But he eventually agreed to hand the list over to Hold Security after researchers agreed to post favorable comments about him in other hacker forums.
“This information is potent,” Holden told Reuters. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him.”
Don’t think we’re safe now Hold Security has these credentials. The hacker may well have provided the account details to others, and Holden says they can be “abused multiple times.” They could also lead to further break-ins and phishing attacks.
Mail.ru has stated that it is investigating Hold Security findings and trying to establish whether the usernames and passwords that were leaked still match up and are still active. Meanwhile, Microsoft says it has other measures in place to detect compromised accounts.
Google and Yahoo are yet to respond.
Hold Security has uncovered massive data breaches before — including those affecting tens of millions of users at Adobe, JPMorgan, and Target. This could well be its biggest yet.