More than 272.3 million usernames and passwords for email accounts, including those from Google, Yahoo and Microsoft, have been swiped and may be available for sale in Russia’s criminal underworld.
A new report from the Milwaukee-based Hold Security, published by Reuters, revealed a Russian hacker obtained login credentials for mostly Mail.ru accounts, Russia’s most popular email service, though the list also included tens of millions of accounts from the three U.S. email providers.
Thousands of stolen credentials belong to employees of some of the largest U.S. financial institutions, manufacturing and retail companies, the firm revealed.
Alex Holden, founder and chief information security officer at Hold Security, said researchers found the data cache by accident after discovering a young Russian hacker boasted on a forum about his collection and said he was ready to give away a large number of stolen credentials that totaled 1.17 billion records.
After eliminating duplicates, Holden said he believed he found 57 million Mail.ru accounts, a large number compared to the 64 million monthly users the service said it had. The database included credentials from Yahoo (40 million accounts), Microsoft (33 million accounts) and Gmail (24 million accounts), and hundreds of thousands of accounts from German and Chinese email providers.
The unidentified hacker, who obtained the data from various unspecified sources, said he was looking to sell it for just $1 and made it available to Holden in exchange for favorable comments.
“This information is potent,” Holden said. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him.”
Making matters worse is users’ tendency to reuse certain passwords across multiple online services.