Sign up for our newsletter
Technology / Cybersecurity

Hacker sells 272 million Hotmail, Google & Yahoo email accounts in major data breach

A Russian hacker has stolen the details of millions of hacked email accounts including those from Google Gmail, Yahoo Mail and Microsoft Hotmail.

Security firm Hold Security identified that user names and passwords of 272.3 million email account holders had been stolen by a hacker, with 42.5 million of them not figuring in earlier breaches.

However, the firm obtained the data for free. The hacker accepted to share the details after reaching an agreement with the firm, which involved Hod Security posting favourable comments about him or her on a forum.

Initially, the hacker asked the firm to pay just 50 roubles to disclose the details of the millions of hacked email accounts.

White papers from our partners

Hold Security in a statement, "50 rubles" is what the hacker wants for this incredibly large set of data. He can’t be serious; based on today’s exchange rate it is less than one US dollar.

"This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction."

Hold Security founder and chief information security officer Alex Holden told Reuters that while a significant amount of details belonged to users of Mail.ru, the hacked details of email accounts provided by Google, Yahoo and Microsoft accounted for only a small fraction of stolen data.

Holden, who was a former chief security officer at US brokerage R.W. Baird, said: "This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him.

"These credentials can be abused multiple times."

In reply to the breach of email accounts, Mail.ru said: "We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active.

"As soon as we have enough information we will warn the users who might have been affected."

A Microsoft spokesman confirmed that online credentials were hacked.

The spokesman was quoted by Reuters as saying:"Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."

While stolen credentials of Yahoo Mail users accounted for 40 million or 15% of the 272 million hacked accounts, 33 million or 12% of belonged to Microsoft Hotmail accounts, according to Holden.

Around 24 million or 9% of the total hacked details belonged to Gmail users.

"This is stolen data, which is not ours to sell," said Holden.

"Besides automated harvesting on a daily basis, we interface with hundreds of hackers, monitoring if they have any new information. We do not pay hackers for stolen data. If they have something new and valuable, we start our dance; ask, negotiate, finagle, anything permissible to get the data without rewarding the bad guys for their work," the security firm said.

"Over the past month (April of 2016) we have identified 120 million stolen records. This stolen data consists of information from a major Eastern European communication firm, some medium size online service providers, and mostly unattributed data moved around by hackers in search of easy gains," it added.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.