“Today, large amounts of stolen credentials may not grab headlines, but they never lose their potency…”
In yet again more news of big data breaches, Hold Security, a Wisconsin-based security firm known for obtaining hoards of stolen data from the hacking underworld, has successfully managed to recover over 272 million unique pairs of email addresses and unencrypted passwords from a Russian hacker, of which 42.5 million were never seen before by the company in earlier leaks.
Hundreds of millions of usernames and passwords belonging to Mail.ru, Gmail, Hotmail and Yahoo Mail users are being traded in Russia’s criminal underworld. Hold Security had purportedly chanced upon the data when they saw a young Russian hacker bragging about the information haul in an online chat forum.
The hacker seems to have been primarily targeting Russian users. The cache of email addresses and passwords totaled to 1.17 billion records, but many of them were duplicated, which resulted in only 272 million unique credentials in the end. Still, Alex Holden, founder and chief information security officer of Hold Security, told the International Business Times that the collection “is still the biggest collection amassed by a single individual.”
Holden stated that most of the stolen email addresses, came from Mail.ru (about 57 million), Russia’s largest email provider, while around 40 million of the addresses were Yahoo Mail, 33 million from Hotmail and 24 million from Google’s Gmail service. Moreover, the breach reportedly contained hundreds of thousands of German and Chinese email addresses as well as thousands of username/password combos that appear to belong to employees from US banking, manufacturing and retail companies. The hacker, who is apparently quite young, appears to have collected the stolen email IDs and passwords from several smaller, less secure websites where people use their email addresses together with a password to log in.
In their statement, Hold Security declared that in their negotiations into acquiring the data with the hacker (dubbed “The Collector” by researchers), the hacker had first requested to be paid with only 50 roubles (USD 0.76; MYR 3.05), but in the end settled for compensation in the form of adding “likes/votes to his social media page” and “favorable comments” about him in various hacker forums. The hacker seemed to be eager and in a hurry to sell off his collection of login credentials, but Hold Security is clear that they refuse to acquire data without “rewarding the bad guys for their work” and opt for other methods of negotiations to avoid contributing to the hacker monetizing on his work. Once the hacker was satisfied, Hold Security had received a link to the massive 10 GB of data in a compressed database, which reportedly took them more than an hour to download.
“This information is potent,” Holden expressed to Reuters. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times.”
While users who use a different password for both their email account and a separate third-party website would be less affected, users who tend to use the same password across multiple sites as well as their email should take precaution. Cyber-criminals are well aware of our habits in all matters relating to passwords, and our human weakness of limited memory space assigned for remembering 101 different complex passwords. Users habitually create the same passwords across various accounts for the ease of remembrance, and time and time again re-use passwords without ever bothering to change them.
Because of this, such large scale data breaches could be exploited by hackers to formulate further break-ins or phishing attacks by reusing old passwords found on one account to try to break into other accounts of the same user, thus also multiplying the risks of financial theft.
According to The Inquirer, the spokeswoman for Mail.ru, Madina Tayupova, assured that in Mail.ru’s initial checks, the company found no live combinations of usernames and passwords that match existing emails, although they will still continue to check whether any combinations of usernames/passwords match users’ emails and are still active. They promised to warn users who may have been affected as soon as they had enough information.
A Microsoft spokesperson told Mashable, “Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
Meanwhile, Yahoo added that “We’ve seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We’ll update going forward.” but Google has yet to provide a comment at this time.
 Hold Security
 The International Business Times
 The Inquirer