Hundreds of millions of hacked usernames and passwords for some of the world’s largest webmail providers have been discovered up for sale on the Russian Dark Web. But while those make up the single-largest contribution to this collection, there are plenty of other big-name email providers involved here, and the presence of those accounts might be a lot more concerning to you. According to Holden, email accounts weren’t the only targets of this particular data breach, thousands of account details for employees at USA banks are also available to snag on the criminal market, along with employee details at United States manufacturing and retail companies.
Advertisement
These stolen accounts were discovered by Hold Security, where researchers found a Russian hacker, dubbed as “the Collector”, bragging that he was ready to “give away” these credentials, which totaled 1.17 billion records.
A Mail.ru spokesperson told Reuters, “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active”.
Around 40 million Yahoo Mail accounts have been compromised, 33 million Hotmail accounts and 24 million Gmail accounts. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him”. Because Holden has the policy not to pay for stolen data, the eventual deal was that Holden had to like and vote on a social media page.
“These credentials can be abused multiple times”.
Yahoo and Google did not respond to requests for comment. “Also it contains different passwords for the same email address, suggesting that the database was compiled from different, other websites, where the email address was used as the login”.
“[We would require] additional information to verify the account owner and help them regain sole access”, said a spokesman.
Advertisement
Yahoo Mail account details numbered 40m, or 15 per cent of the 272m unique IDs allegedly stolen. IT security experts recommend that users of the affected services change their passwords, or at least ensure that they are using two-step verification, wherever possible.
