A number of 72.3 million email accounts and credentials from Mail.ru, Gmail, Yahoo, and Outlook are being negotiated by Russian hackers. Alex Holden, founder of Hold Security, said the data has been offered on an internet forum for less than a dollar. This could be one of the largest batches of stolen credentials ever discovered.
Holden is recognized for having discovered other major data breaches, which have impacted tens of millions of users at Adobe Systems, JPMorgan, and target. The security expert found a young Russian hacker who was offering all the collected data in a forum, said Reuters on Thursday.
The hacker claimed to have 1.17 billion records, including email data and credentials. After eliminating duplicates, Holden registered 57 million accounts from Mail.ru, which is among the most popular email services used in Russia.
Last year, Mail.ru said it had 65 million monthly active users. Data also included credentials for Gmail, Yahoo Mail, Microsoft’s Outlook, and other email providers in Germany and China. The pack of data was first offered for 50 roubles, which is less than a dollar, said Reuters.
Data was delivered to Hold after researchers agreed to write good comments about the hacker in Internet forums. Due to policies of the company, researchers must reject money transactions for stolen data, said Holden to Reuters.
“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times,” said Holden, the former chief security officer at U.S. brokerage R.W. Baird, to Reuters.
Which is the impact of this security breach?
Massive data breaches can be used for future phishing attacks by obtaining data or contacts related to each email account. At the same time, they can increase risks of financial theft or reputational damage on the internet.
Mail.ru said in a statement to Reuters that the company is already checking the data by analyzing if combinations of usernames and passwords match the emails. The Russian company plans to contact users if they are affected by the data leaks.
On the other hand, Microsoft recognized that online credentials were stolen. A spokesman for the company said the email service offers strong security measures in order to detect account compromise. Users will be always able to regain access, he added.
Of all stolen credentials, 40 million belong to Yahoo Mail, while 33 million belong to Microsoft Hotmail accounts. Gmail was the least affected, with nearly 24 million credentials, said Reuters. Hold security began contacting firms affected last week. The company plans to provide the obtained data for no cost.