If you’re an account holder of Russia’s Mail.ru, Google, Yahoo or Microsoft then you could be one of the unlucky 270 million whose email accounts have been compromised. And all of your information could possibly be sold for less than a dollar!
Alex Holden, a security expert, who helped discover one of largest cache of stolen usernames and passwords in 2014, now says more stolen credentials are being traded in Russia’s cyber underworld.
The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Holden, founder and chief information security officer of Hold Security
The researchers of the company found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden.
"These credentials can be abused multiple times."
LESS THAN $1
Mysteriously, the hacker asked just 50 roubles - less than $1 - for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, Holden said.
Such large-scale data breaches can be used to engineer further break-ins. It also allows the hacker to reach a universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.
What makes it easier for hackers to break-in the email accounts is the habbit of people to keep using favorite passwords.
After being informed of the potential breach of email credentials, Mail.ru said in a statement emailed to Reuters: "We are now checking, whether any combinations of usernames/passwords match users' e-mails and are still active.
"As soon as we have enough information we will warn the users who might have been affected," Mail.ru said in the email, adding that initial checks found no live combinations of usernames and passwords which match existing emails.
A Microsoft spokesman said stolen online credentials was an unfortunate reality. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."
Yahoo and Google did not respond to requests for comment.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year.
Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail.
In 2014, Holden, a Ukrainian-American who specialises in Eastern European cyber crime threats, uncovered a cache of 1.2 billion unique credentials that marked the world's biggest-ever recovery of stolen accounts.
His firm studies cyber threats playing out in the forums and chatrooms that make up the criminal underground, speaking to hackers in their native languages while developing profiles of individual criminals.
Holden said it’s better not to try and identify the hacker as that would expose the methods his researchers use to investigate the matter. Because the hacker vacuumed up data from many sources, researchers have dubbed him "The Collector".
Ten days ago, Milwaukee-based Hold Security began informing organisations affected by the latest data breaches. The company's policy is to return data it recovers at little or no cost to firms found to have been breached.
"This is stolen data, which is not ours to sell," said Holden.