Hacker leaks millions of Hotmail, Gmail, and Yahoo Mail usernames and passwords

[Batu69]

A number of major webmail services have suffered one of the largest security breaches in recent years. The account details of Gmail, Yahoo Mail, Hotmail, and Mail.ru are just four of the services affected.

 

Security firm Hold Security says that it has been contacted by a hacker in possession of 272 million unique pairs of email addresses and unencrypted passwords. This is far from an insignificant number, and the situation is made all the worse as the data is being freely shared for just about anyone to access.

 

Hold Security says that it was initially contacted by the hacker who was seeking a nominal fee for access to gigabytes of data. Unwilling to contribute to the hacker financially, the security firm negotiated and obtained the data for free. This initially appeared disappointing as it comprised data collected from previous security breaches. But with a little probing, things became more interesting:

Quote

When we peel back the layers and dig deeper, we find that the hacker is holding something back from us. Within several days of communication and after a couple more strategically timed votes on his social media pages, he shared more useful information. At the end, this kid from a small town in Russia collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials -- 15% of the total, that we have never seen before.

 

There is obviously potential for this data to be misused. Talking to the BBC, Alex Holden from Hold Security said:

Quote

There are hacker sites that advertise 'brute forcing' popular services and store fronts by taking a large amount of credentials and running them one-by-one against the site. What makes this discovery more significant is the hacker's willingness to share these credentials virtually for free, increasing the number of… malicious people who might have this information.

 

But while the numbers seem high -- 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts and 24 million Gmail accounts -- Mail.ru says that not all of the data is valid. Microsoft, Google and Yahoo are all currently investigating the data and talking with Hold Security.

 

Article source

[vibranium]

https://haveibeenpwned.com is your friend.

[Sylence]

my Email address pwned! da faq?

 

a message to security firms and Emails providers like Google, Microsoft: if you had hired pigs instead of your current employees you would be able to provide more security to your customers. 

 

btw isn't it weird that most bug founders and hackers are kids these days? what, the current generation is an evolution bomb?

[straycat19]

8 hours ago, vibranium said:

https://haveibeenpwned.com is your friend.

 

Not really.  There isn't much current data, if any, on that site and certainly none of the email accounts that have been hacked in the last five years.  Tested known hacked email accounts and none of them showed up on that site.  Anyone who uses a simple password and not a passphrase and doesn't change it regularly without ever repeating it is asking to have their account hacked.  Some of the most difficult passwords are actually relatively easy to come up with, such as taking a book and selecting a sentence out of it and the using the first letter of every word to form a password, adding numbers and special characters based upon some formula that you come up with, such as the line number and the page number and using special characters to separate words.  Then every couple of weeks chose another sentence, create the password and change it.  Most people are too lazy to type in a long string of characters so they forego security because they are lazy.  

[vibranium]

Yes, I agree. Unfortunately that's the only way for non-savvy people to check.

[Holmes]

Im sure the companies are going to notify all affected accounts and ask them to change there passwords so the crooks can get the accounts they wont get to keep them.

[DKT27]

I'm surprised. The mail providers did not block the IPs or the account for brute forcing nor did they alert the users - I believe gmail does that. Something does not add up. Either this is not fully true or the security is compromised somewhere.

 

Eitherway, this is why 2FA is important I think.

[Sylence]

1 hour ago, Holmes said:

Im sure the companies are going to notify all affected accounts and ask them to change there passwords so the crooks can get the accounts they wont get to keep them.

 

do you think it's some kind of notification for the hack?

[luisam]

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security.
 

It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.

Holden was previously instrumental in uncovering some of the world's biggest known data breaches, affecting tens of millions of users at Adobe Systems (ADBE.O), JPMorgan (JPM.N) and Target (TGT.N) and exposing them to subsequent cyber crimes.

 

The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden, the former chief security officer at U.S. brokerage R.W. Baird. "These credentials can be abused multiple times," he said.

 

LESS THAN $1

Mysteriously, the hacker asked just 50 roubles – less than $1 – for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, Holden said. He said his company’s policy is to refuse to pay for stolen data.

Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.

 

Hackers know users cling to favourite passwords, resisting admonitions to change credentials regularly and make them more complex. It's why attackers reuse old passwords found on one account to try to break into other accounts of the same user.

After being informed of the potential breach of email credentials, Mail.ru said in a statement emailed to Reuters: "We are now checking, whether any combinations of usernames/passwords match users' e-mails and are still active.

Related Video

Massive email hack hits millions

Carbon Black's Ben Johnson on e-mail data breach

"As soon as we have enough information we will warn the users who might have been affected," Mail.ru said in the email, adding that Mail.ru's initial checks found no live combinations of user names and passwords which match existing emails.

A Microsoft spokesman said stolen online credentials was an unfortunate reality. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."

Yahoo and Google did not respond to requests for comment.

Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.

Thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies, he said.

Stolen online account credentials are to blame for 22 percent of big data breaches, according to a recent survey of 325 computer professionals by the Cloud Security Alliance.

In 2014, Holden, a Ukrainian-American who specialises in Eastern European cyber crime threats, uncovered a cache of 1.2 billion unique credentials that marked the world's biggest-ever recovery of stolen accounts.

His firm studies cyber threats playing out in the forums and chatrooms that make up the criminal underground, speaking to hackers in their native languages while developing profiles of individual criminals.

Holden said efforts to identify the hacker spreading the current trove of data or the source or sources of the stolen accounts would have exposed the investigative methods of his researchers. Because the hacker vacuumed up data from many sources, researchers have dubbed him "The Collector".

Ten days ago, Milwaukee-based Hold Security began informing organisations affected by the latest data breaches. The company's policy is to return data it recovers at little or no cost to firms found to have been breached.

"This is stolen data, which is not ours to sell," said Holden.

 

 

 

SOURCE

[Batu69]

Thread merged.

[straycat19]

On 5/5/2016 at 11:33 PM, Batu69 said:

A number of major webmail services have suffered one of the largest security breaches in recent years. The account details of Gmail, Yahoo Mail, Hotmail, and Mail.ru are just four of the services affected.

 

This is another case of a researcher crying wolf and getting his company in the news.  The following was released by Mail.ru to the press " The Russian email provider's initial checks found no live combinations of user names and passwords that match existing emails."  The hacker was trying to make a name for himself (he did, we call him FuckHead) by consolidating old data and releasing it.  None of our attempts found any recent email account/password combinations in the released data so far.  It is pretty safe to assume that this is what it turned out to be, a script kiddie culling old hacked data and a security company that couldn't get recognition any other way but crying 'Wolf'.  I wrote a program once that would create a list of bogus email addresses and passwords just to prove a point.  Imagine the news coverage I could get today by releasing 1 Billion email addresses! 

[DKT27]

7 hours ago, straycat19 said:

 

This is another case of a researcher crying wolf and getting his company in the news.  The following was released by Mail.ru to the press " The Russian email provider's initial checks found no live combinations of user names and passwords that match existing emails."  The hacker was trying to make a name for himself (he did, we call him FuckHead) by consolidating old data and releasing it.  None of our attempts found any recent email account/password combinations in the released data so far.  It is pretty safe to assume that this is what it turned out to be, a script kiddie culling old hacked data and a security company that couldn't get recognition any other way but crying 'Wolf'.  I wrote a program once that would create a list of bogus email addresses and passwords just to prove a point.  Imagine the news coverage I could get today by releasing 1 Billion email addresses! 

 

As I said, something does not add up here.

[luisam]

12 hours ago, straycat19 said:

 

This is another case of a researcher crying wolf and getting his company in the news.  The following was released by Mail.ru to the press " The Russian email provider's initial checks found no live combinations of user names and passwords that match existing emails."  The hacker was trying to make a name for himself (he did, we call him FuckHead) by consolidating old data and releasing it.  None of our attempts found any recent email account/password combinations in the released data so far.  It is pretty safe to assume that this is what it turned out to be, a script kiddie culling old hacked data and a security company that couldn't get recognition any other way but crying 'Wolf'.  I wrote a program once that would create a list of bogus email addresses and passwords just to prove a point.  Imagine the news coverage I could get today by releasing 1 Billion email addresses! 

 

Just to follow the order of your idea and adding up presumptions, maybe email adresses come from sites which use an email address as username and asks for some password.  Though Internet is full of fools, most of them know enough as not to give out the password of own email for some third-party site.  So, once these sites were hacked, they got a combination of email address and password, obviously not valid to access that specific email

[steven36]

On undefined at 3:28 PM, DKT27 said:

I believe gmail does that. Something does not add up. Either this is not fully true or the security is compromised somewhere.

 

Garbage in, garbage out: Why Ars ignored this week’s massive password breach

http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wasnt-google-says-data-is-98-bogus/

 

ARS didn't believe  ether  and  according to Yahoo there was nothing too it (at lest some sites  try noy too post fake news )

 

Quote

 

Update:

After this story was published, Yahoo officials issued the following statement:

“Our security team has investigated and we don’t believe there is any significant risk to our users based on the claims shared with the press. We always encourage our users to create strong passwords (here are some tips), or, even better, eliminate use of passwords altogether by using Yahoo Account Key.