Science

272 Million Email Passwords Have Been Leaked, but There's a Sliver of Good News

Are you among the victims?

Syracuse University

Usernames and passwords for the world’s largest email services have surfaced, following an investigation by a security analyst who picked up the trove from a notorious hacker. But there’s a razor-thing slice of good news: The biggest chunk of passwords belong to a Russian email client, which means anybody without a Mail.ru account is less at-risk.

The database contained 57 million accounts from Mail.ru, which, if confirmed as active, would mean almost all of the service’s 64 million accounts have been compromised.

In addition, 40 million Yahoo, 33 million Hotmail, and 24 million Gmail credentials were discovered, constituting 15, 12, and 9 percent of those email clients’ user totals, respectively.

In return for this massive wealth of information that could contain private banking information and help lead to further big data snares, the hacker requested 50 roubles, a little less than $1 USD. Alex Holden, the founder and chief information security officer of Hold Security, who first discovered the data trove, ended up convincing the hacker to give away the data for free after promising to write positive reviews of the collection on message boards. Previous sales of hacked information have been reported to cost as much as $10,000 for 100,000 credentials.

“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” Holden told Reuters. “These credentials can be abused multiple times,” he said.

The discovery of these hundreds of millions of online credentials would represent one of the most significant finds in the history of digital cybersecurity. Holden calls the particular hacker who supplied the information, “The Collector,” because he or she seems to compile sets of hacked information into giant collections for sale. The subtle strategy may suggest that not all of the accounts contain valid information, as none of the email services have yet confirmed that the database contains active usernames and passwords.

Holden has already uncovered tens of millions of credentials online from the huge hacks of Adobe Systems, JP Morgan, and Target. A Ukrainian-American, Holden leverages his language skills and experience to build relationships with many of the hackers who are often from Eastern Europe. But if there’s any doubt about where his allegiances lie, he always turns hacked information his team discovers online over to the breached companies.

“This is stolen data, which is not ours to sell,” said Holden.