Researchers nab millions of stolen credentials for Gmail, Hotmail, Yahoo, banking

A hacker handed over millions of stolen credentials for Google, Microsoft and Yahoo email accounts, as well as thousands for banking, manufacturing and retail, in exchange for researchers liking and voting up his social media page.

password theft
Credit: Psyomjesu, CC BY-SA 4.0, via Wikimedia Commons

What’s the going rate for usernames and passwords of 272.3 million stolen accounts, many of which are email accounts? A young Russian hacker wanted 50 rubles, which is less than $1, but ended up handing over the data after researchers posted positive comments about him in social media.

Many of the “hundreds of millions of hacked usernames and passwords for email accounts and other websites,” were for Russia’s, according to Reuters, but some “Google, Yahoo and Microsoft email users” were also affected.

Breakdown of stolen credentials

As for the breakdown, Alex Holden, founder and chief information security officer of Hold Security, told Reuters, 40 million, or 15% of the 272 million unique IDs, were Yahoo Mail credentials; 33 million, or 12%, were for Microsoft Hotmail accounts; 24 million, or 9%, were from Gmail.

'The Collector' hacker had 1.17 billion stolen credentials

The discovery of millions of stolen credentials doesn’t stop there. Hold Security said a Russian kid had collected 1.17 billion stolen credentials from various breaches. Of those, 272 million were unique; the researchers said that translated into “42.5 million credentials – 15% of the total” that they had not seen before.

In 2014, Hold Security said it had obtained a massive database of 1.2 billion unique “credential pairs” which had been stolen by Russian hackers; the announcement left some security researchers with unanswered questions. In 2015, Hold Security announced that Russian hackers had breached 97 websites, most of which were dating-related. This time, the researchers discovered the credentials were being traded in a Russian criminal underworld forum.

The kid on the Deep Web, who researchers call “The Collector,” was reportedly “talkative, willing to brag and boast of his success stories.” Hold Security said, “We do not pay hackers for stolen data. If they have something new and valuable, we start our dance; ask, negotiate, finagle, anything permissible to get the data without rewarding the bad guys for their work.” After the hacker provided samples of the data, and the researchers verified the stolen credentials, they determined it was a “collection of multiple breaches.” They wanted it, so what did the hacker want in exchange?

Hold Security wrote:

“50 rubles” is what the hacker wants for this incredibly large set of data. He can’t be serious; based on today’s exchange rate it is less than one US dollar. This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction. “I am just getting rid of it but I won’t do it for free,” he replies. In all reality, 50 rubles is next to nothing, but we refuse to contribute even insignificant amounts to his cause. It is rather funny to negotiate over this, but finally the hacker just asks us to add likes/votes to his social media page (so much for anonymity). That we can do, and once he is satisfied with the results we get a link to an incredible 10 gigabytes in a compressed database, which takes us more than hour to download.

The security firm reportedly began contacting affected organizations about the breaches 10 days ago.

Email service providers' responses is checking if any of the stolen credentials match with email accounts that are still active, saying it will warn users when it has investigated, but so far none of the accounts match existing emails.

Microsoft told Reuters it “has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.”

Neither Google, nor Yahoo would comment.

“Thousands” of the “stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies,” Holden said.

This breach is one more good reason to participate in World Password Day; change your password because if it is in the breach, hackers will try to use it again and again. How hard is it to find other accounts you might use on other sites but with similar usernames? If you reused a password which was stolen on other sites, that’s bad news for you. Start using multi-factor authentication, if you haven’t done so, to add another protective layer to your passwords.

Why is Apple letting Macs rot on the tree?
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies