Hacker Trades 272 Million Stolen Email Credentials for $1

Alex Holden of Wisconsin-based information security company Hold Security has reported finding millions of user account credentials, including email addresses and account credentials from a hacker's collection. The data included millions of credentials for major email providers Mail.ru, Google, Yahoo, and Microsoft (Hotmail), along with email service providers from Germany and China.

The researcher reported that the discovery came after the firm’s researchers stumbled upon a hacker boasting in a Russian underground online forum that he had amassed stolen user credentials that totaled 1.17 billion records. After further analysis and eliminating duplicates, the firm identified 272.3 million unique credentials, 15% of which have never been leaked before. Holden noted that 57 million of those credentials were from Mail.ru accounts, a significant amount compared to the 64 million monthly active users Mail.ru said it had at the end of 2015. The rest of the stolen accounts included 40 million Yahoo! accounts, 33 million Hotmail accounts, and 24 million Gmail accounts.

Interestingly, the hacker originally asked for 50 roubles (less than $1) for the entire trove of data, but Hold Security was able to obtain the data for free by agreeing to post positive comments about the him in hacker forums.

[Read: After the breach: What happens to stolen data?]

This incident is yet another in a string of data breaches that has transpired over the past weeks, including notable incidents involving Verizon Enterprise, The Catholic Archdiocese of Denver, Stanford University, and supermarket chain Sprouts Farmers Market.

Data breach incidents such as this pose a considerable risk in that stolen email credentials can be used as a platform for launching spam and phishing attacks on contacts tied to the compromised account. They can also be used to commit identity theft and espionage as well as steal intellectual property and financial information.

[Read: Identity theft and the value of your personal data]

After being notified of the breach, Mail.ru told Reuters in a statement, “We are now checking whether any combinations of username/password match [active accounts] - and as soon as we have enough information we will warn the users who might have been affected. The first check of a sample of data showed that it does not consist of any real live combinations of usernames and passwords.”

Microsoft added that it has placed security measures that required additional information that can verify account ownership and help users regain access to their accounts. Users can also get an extra layer of security for online accounts by enabling two-factor authentication on services that support it.

Update: 5/9/2016

The data was not collected from a breach—or at least not a recent one—and may have been collected from a number of old data dumps.   

After analyzing 57 million Mail.ru credentials included in a sample of the data Holden procured, the Russian email service found that 99.9% of the accounts were invalid. According to a press release from Mail.ru, 22.56% of the database entries did not exist, 64.27% had wrong passwords, and some of the entries didn't have any passwords. Only 0.018% of the username/password combinations in the sample could have worked, and the affected users have already been notified.  

Google also analyzed a batch of credentials and found that more than 98% of the Google account credentials included in the research "turned out to be bogus."


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.