Reuters reported that “hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld”.
According to the report, 40 million Yahoo Mail accounts are compromised, 33 million Microsoft Hotmail accounts, and 24 million Gmail accounts.
Quoting Alex Holden, founder and chief information security officer of Hold Security, Reuters said this is one of the biggest lists of stolen credentials ever uncovered.
Holden told Reuters the information is “potent”, and that it is “floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him”.
According to Holden, the hacker collected the compromised email account data from multiple sources.
The breach reiterates the security benefits of using 2-step verification, where a user will first enter their email password and then a security code which is sent to them via text or a mobile app.
Another option is to use a Security Key, which can be hosted on a flash drive and must be inserted into your computer’s USB port when accessing your email account.
Gmail, Yahoo, and Hotmail users are advised to change their passwords immediately to avoid possible security breaches.
How Hold Security gets their information
Hold Security said that besides automated harvesting on a daily basis, it interfaces with hundreds of hackers – monitoring if they have new information.
“We do not pay hackers for stolen data. If they have something new and valuable, we start our dance; ask, negotiate – anything permissible to get the data,” said Hold Security.
The hacker wanted 50 rubles for the email credentials, but a Hold Security researcher said despite the low amount, they were not willing to pay.
“Finally, the hacker just asks us to add likes/votes to his social media page (so much for anonymity),” said the researcher.
“That we can do, and once he is satisfied with the results we get a link to an incredible 10GB in a compressed database.”
The researchers checked the data, and found a lot of duplication.
“Out of 80 million credentials starting with the letter “a”, only 19 million unique credential pairs were found,” said the researcher.
Most of the leaked data was also previously available.
Massive amount of new information available
Hold Security said the hacker shared more information with them after their initial negotiations.
“At the end, this kid from a small town in Russia collected an incredible 1.17 billion stolen credentials from numerous breaches that we are still working on identifying.”
“272 million of those credentials turned out to be unique, which translated to 42.5 million credentials – 15% of the total – that we have never seen before.”