If there’s something that you want to buy or sell, and it isn’t exactly what you would deem “legitimate”, then the chances are that you can utilize the infrastructure of the underground Russian black market to get the deal done. Much to the disbelief and disdain of email users from all over the world, it seems that the reach of the Russian underground market also extends to the trading of over 270 million email login credentials belonging to individuals who have unknowingly had their account credentials hacked and saved.
Alex Holden, founder and Chief Information Security Officer at Hold Security, has said that the trading of these accounts represents “one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago”. Most of those account credentials that are being offered belong to Russia’s Mail.ru account holders, but the discovery has also revealed that tens of millions of those accounts belong to Gmail, Yahoo and Microsoft email services. This likely means that a large number of those affected are based internationally outside of Russia.
Hold Security managed to gain knowledge of the situation after a number of researchers came across a Russian hacker bragging about holding more than one billion account credentials on a Russian forum. In reality, once duplications were removed, the total number of hacked accounts was significantly less than the original number quoted. The terrifying thing is that 57 million of those accounts belong to the Mail.ru service, which in total only has 64 million active users. If you have a Mail.ru account, and aren’t part of this expose, then you can count yourself in the lucky minority it seems.
In total, the list of exposed email accounts included 24 million active Gmail accounts, 33 million sets of credentials belonging to Microsoft’s Hotmail service, and 40 million exposed Yahoo email accounts. The list also contained account credentials from prominent German and Chinese mail providers running into the hundreds of thousands, while thousands of other stolen credentials appear to “belong to employees of some of the largest U.S. banking, manufacturing and retail companies”.
The account credentials were eventually handed over to Hold Security, but that doesn’t exactly mean that the data is safe as it could have already been shared with other less trusting parties. Microsoft has responded to the breach by stating that the company has other measures in place to protect accounts that could potentially be compromised, whereas Gmail and Yahoo are yet to discuss the exposed data.
The advice here? If you have an email account belonging to one of those providers, change the password immediately, regardless of your location. Also make sure you turn on two-step verification on your account where applicable.