A new report shows that hackers from Russia have obtained login credentials for more than 272.3 million email accounts, which are now available for sale in Russia’s criminal underworld, a Most of them are Mail.ru accounts, though the list also includes smaller fractions of Google, Yahoo, and Microsoft email users.
The discovery comes from Hold Security, with Reuters saying it’s one of the biggest stashes of credentials to be discovered since the cyber attacks that hit U.S. banks and retailers in 2014.
Alex Holden, founder and chief information security officer at Hold Security, has uncovered some of the largest known data breaches in previous years, including the attacks on JPMorgan, Target, and Adobe Systems.
Researchers found the treasure trove of information by accident, after discovering a young Russian hacker on a forum. He was bragging that he had collected and was going to give away a large number of stolen credentials that amounted to 1.17 billion records.
After eliminating duplicates, Holden said he found 57 million Mail.ru accounts, which is an enormous number compared to the 64 million monthly users the service said it had late last year. The database includes tens of millions of credentials from Gmail (24 million), Microsoft (33 million), and Yahoo (40 million), and hundreds of thousands of accounts from German and Chinese email providers.
Thousands of stolen credentials belong to employees of some of the largest U.S. banks, manufacturing and retail companies, the firm revealed.
“This information is potent. It is floating around in the underground, and this person has shown he’s willing to give the data away to people who are nice to him,” Holden sais. “These credentials can be abused multiple times.”
Because people tend to favor certain passwords and reuse them across online services, this type of stolen information may be very valuable to certain people.
But the unidentified hacker, who obtained the data from various unspecified sources, was looking to sell it for just $1 and made it available to Holden in return of favorable comments.
Hold Security contacted the affected organizations 10 days ago, with Reuters saying that the company’s policy is to return data it recovers at little or no cost to the firms that were breached.
What’s more disturbing is that it’s not clear yet how hackers obtained the data.
UPDATE: Reuters‘ report has been proven false.