Hundreds of millions of hacked usernames and passwords for some of the world's largest webmail providers have been discovered up for sale on the Russian Dark Web.
Alex Holden, founder and chief information security officer of Hold Security, told Reuters that the cache consists of 272.3 million stolen account credentials. These include Yahoo Mail credentials, which numbered 40 million, or 15% of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12%, were Microsoft Hotmail accounts and 9%, or nearly 24 million, were Gmail, according to Holden.
Also included are a majority of users of Mail.ru, Russia's most popular email service—totaling 57 million compromised accounts. And, thousands of other stolen username/password combinations appear to belong to employees of some of the largest US banking, manufacturing and retail companies, he said.
The discovery came after Hold Security researchers found a young Russian hacker bragging about the heist in an online forum. Most concerningly, he seemed to be in it for the notoriety: Not only was he asking just 50 rubles for the whole shebang (less than $1), but he also quickly gave up the war chest to Hold Security in return for a promise to “post favorable comments about him in hacker forums,” according to Holden.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden. "These credentials can be abused multiple times [due to password reuse].”
Mail.ru said in a statement that it’s investigating the claim: "We are now checking, whether any combinations of usernames/passwords match users' e-mails and are still active. As soon as we have enough information we will warn the users who might have been affected.” It also said that its initial checks found no live combinations of usernames and passwords which match existing accounts.
A Microsoft spokesman said: "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."
Yahoo and Google thus far have not responded to Holden’s revelations.
“The size of this breach highlights the fact that neither individuals, nor organizations, can rely on conventional techniques such as encryption or privilege to protect against the theft of usernames and passwords,” said Will Harwood, founder and CTO of UK firm Silicon:SAFE, which develops hardware solutions that prevent bulk identity theft. “The recent history of large-scale password breaches has demonstrated that these techniques have failed.”
He told Infosecurity, “The solution is to put bulk password data ‘beyond reach’ in a dedicated hardware-supported database that only allows data to be stored and compared, never revealed. This makes it impossible for anyone—whether a criminal or a system administrator—to read the password database or extract passwords from it.”
Photo © magicinfoto/Shutterstock.com