NEW YORK—Usernames and passwords for more than 250 million stolen Yahoo Mail, Gmail, Hotmail, and other accounts are being swapped around in Russia’s criminal underworld, according to Reuters.
The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, Alex Holden, founder and chief information security officer of Hold Security, told Reuters.
It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records, Reuters said.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts.
The rest break down to: Yahoo Mail (40 million emails compromised), Microsoft Hotmail (33 million), and Gmail (24 million). Other credentials from email providers in Germany and China are also affected. It’s not clear if any of these accounts have actually been breached. Many of the emails link to employees of some of the largest U.S. banking, manufacturing, and retail companies, Reuters said. Hold Security has been informing affected companies and organizations.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," Holden told Reuters. "These credentials can be abused multiple times," he said.
The Russian hacker allegedly asked for 50 rubles, less than $1, for the data. But the security company received a copy after it agreed to post positive comments about the Russian in various hacker forums. The company didn’t pay for the stolen data, as it went against company policy.
Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web, Reuters noted.