Security firm finds 272m hacked e-mail accounts
Print Edition
HUNDREDS of millions of hacked usernames and passwords for e-mail accounts and websites are being traded in Russia’s criminal underworld, a security expert has said.
The discovery of more than 272 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular e-mail service, and smaller fractions of Google, Yahoo and Microsoft e-mail users, said Alex Holden, founder and chief information security officer of Hold Security.
It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major United States banks and retailers two years ago.
Holden was previously instrumental in uncovering some of the world’s biggest known data breaches, affecting tens of millions of users at Adobe Systems, JPMorgan and Target and exposing them to subsequent cyber crimes.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling almost 1.2 billion records.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts — a big chunk of the 64 million monthly active e-mail users the company said it had at the end of last year.
It also included tens of millions of credentials for the world’s three big e-mail providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese e-mail providers.
“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” Holden said. “These credentials can be abused multiple times.”
Mysteriously, the hacker asked just 50 roubles (75 US cents) for the entire trove, but gave up the data after Hold researchers agreed to post favorable comments about him in hacker forums, Holden said.
Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.
Hackers know users cling to favorite passwords, resisting admonitions to change credentials regularly and make them more complex. It’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.
After being informed of the potential breach of e-mail credentials, Mail.ru spokeswoman Madina Tayupova told Reuters: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active.
“As soon as we have enough information we will warn the users who might have been affected,” she said, adding that Mail.ru’s initial checks found no live combinations of usernames and passwords that match existing e-mails.
A Microsoft spokesman said stolen online credentials was an unfortunate reality.
“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.”
Yahoo and Google did not respond to requests for comment.
Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million IDs discovered, while 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, Holden said.
Thousands of other username/password combinations appear to belong to employees of some of the largest US banking, manufacturing and retail companies, he said.
Stolen online account credentials are to blame for 22 percent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.
Holden said efforts to identify the hacker spreading the trove of data or the sources of the stolen accounts would have exposed the investigative methods of his researchers.
- About Us
- |
- Terms of Use
- |
-
RSS - |
- Privacy Policy
- |
- Contact Us
- |
- Shanghai Call Center: 962288
- |
- Tip-off hotline: 52920043
- 娌狪CP璇侊細娌狪CP澶05050403鍙-1
- |
- 浜掕仈缃戞柊闂讳俊鎭湇鍔¤鍙瘉锛31120180004
- |
- 缃戠粶瑙嗗惉璁稿彲璇侊細0909346
- |
- 骞挎挱鐢佃鑺傜洰鍒朵綔璁稿彲璇侊細娌瓧绗354鍙
- |
- 澧炲肩數淇′笟鍔$粡钀ヨ鍙瘉锛氭勃B2-20120012
Copyright 漏 1999- Shanghai Daily. All rights reserved.Preferably viewed with Internet Explorer 8 or newer browsers.
