Gmail, Yahoo hundreds of millions data hacked accounts on sale for $1
A new report found that Russia’s criminal underworld is trading hundreds of millions of stolen usernames and passwords belonging to these accounts.
Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.
This is according to a investigation, which spoke to Alex Holden, founder and chief information security officer of Wisconsin-based Hold Security.
This discovery of 272.3 million accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.
This is one of the most biggest stashes of stolen credentials to be uncovered since cyber attacks it hit major US banks and other retailers two years ago.
Holden was previously instrumental in uncovering some of the world’s biggest known data breaches, affecting tens of millions of users at Adobe Systems, JPMorgan and Target and exposing them to subsequent cyber crimes.
The latest discovery came Hold Security researchers found a now a days the young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of the credentials that is ended up 1.17 billion records.
Holden said, this cache contained nearly 57 million Mail.ru accounts – a huge chunk of the 64 million monthly they are active email users Mail.ru said it had the end of last year. This is also included most probably tens of millions of credentials for the world’s three biggest email providers, That means Gmail, Microsoft and Yahoo, plus It has hundreds of thousands of accounts at German and Chinese email providers.
This is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden, This former chief security officer at US brokerage RW Baird. “These credentials can be abused multiple times,” he also said.
LESS THAN $1
This hacker asked just 50 roubles – less than $1 – for the entire trove, butit gave up this data set after Hold researchers agreed to post the favorable comments about him in this hacker forums, Holden said. He said his company’s policy is to refuse to pay for this data.
Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by also reaching the universe of contacts tied to each compromised account, multiplying risks of financial theft or reputational damage across the web.
Hackers know the users cling to favourite passwords,and the resisting admonitions to change also credentials regularly and make them also more complex. In this attackers reuse old passwords found on one account to try to break into other accounts of this same users.
After being informed to the potential breach of email credentials, Mail.ru Mail.ru said a statement emailed to Reuters: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active now .
“Have enough information we will be warn all users who might have been affected,” Mail.ru said in the email, adding that Mail.ru’s initial checks found no live combinations of the usernames and also passwords which match existing emails.
A Microsoft spokesman said stolen online credentials was an unfortunate reality. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.”
Yahoo and Google did not respond to requests for comment.
Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.
Thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies, he said.
Stolen online account credentials are to blame for 22 percent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.
In 2014, Holden, a Ukrainian-American who specialises in Eastern European cyber crime threats, uncovered a cache of 1.2 billion unique credentials that marked the world’s biggest-ever recovery of stolen accounts.
His firm studies cyber threats playing out in the forums and chatrooms that make up the criminal underground, speaking to hackers in their native languages while developing profiles of individual criminals.
Holden said efforts to identify the hacker spreading the current trove of data or the source or sources of the stolen accounts would have exposed the investigative methods of his researchers. Because the hacker vacuumed up data from many sources, researchers have dubbed him “The Collector”.
Ten days ago, Milwaukee-based Hold Security began informing organisations affected by the latest data breaches. The company’s policy is to return data it recovers at little or no cost to firms found to have been breached.
“This is stolen data, which is not ours to sell,” said Holden.