More than 272.3 million usernames and passwords for email accounts, including those from Google, Yahoo and Microsoft, have been swiped and may be available for sale in Russia’s criminal underworld.
A new report from the Milwaukee-based Hold Security, published by Reuters, revealed a Russian hacker obtained login credentials for mostly Mail.ru accounts, Russia’s most popular email service, though the list also included tens of millions of accounts from the three U.S. email providers.
Thousands of stolen credentials belong to employees of some of the largest U.S. financial institutions, manufacturing and retail companies, the firm revealed.
Alex Holden, founder and chief information security officer at Hold Security, said researchers found the data cache by accident after discovering a young Russian hacker boasted on a forum about his collection and said he was ready to give away a large number of stolen credentials that totaled 1.17 billion records.
After eliminating duplicates, Holden said he believed he found 57 million Mail.ru accounts, a large number compared to the 64 million monthly users the service said it had. The database included credentials from Yahoo (40 million accounts), Microsoft (33 million accounts) and Gmail (24 million accounts), and hundreds of thousands of accounts from German and Chinese email providers.
The unidentified hacker, who obtained the data from various unspecified sources, said he was looking to sell it for just $1 and made it available to Holden in exchange for favorable comments.
“This information is potent,” Holden said. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him.”
Making matters worse is users’ tendency to reuse certain passwords across multiple online services.
“These credentials can be abused multiple times,” Holden said.
Hold Security contacted the affected organizations 10 days ago. Reuters said the company’s policy is to return the data it recovers at little or no cost to the breached entities.
“As soon as we have enough information, we will warn the users who might have been affected,” Mail.ru said in an email, adding that Mail.ru’s initial checks found no live combinations of user names and passwords that match existing email accounts.
“We’re seeing a proverbial panic in the streets because millions of passwords may have been stolen,” John Peterson, vice president of enterprise products at the Clifton, N.J.-based cybersecurity firm Comodo, said. “But that reaction is the opposite of how the cybersecurity industry is reacting – since that’s all we think about every day: Hoping for the best, planning for the worst. There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen.”
Peterson explained consumers, small businesses and large enterprises all need to understand that criminals run established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, Social Security numbers, company trade secrets and data, and credit card and financial data every minute of every day.
“Only with end-to-end security that takes into account issues like endpoint, breach detection and secure web gateways can companies of all sizes look to beat the cybercriminal at their own game,” he said.