Skip to main content

Now Might Be A Good Time To Change Your Gmail, Hotmail Or Yahoo Password

Hold Security, a company specializing in information security assessment, risk management and incident response, announced that it has discovered a cache of over 1.17 billion stolen online credentials from a Russian hacker that collected the data from a variety of breached sources, including Gmail, Yahoo and Microsoft.

To Catch A Hacker, Like Their Social Media Page

Hold Security was able to track down the hacker taking credit for the stolen information, and it wasn’t as hard as you might think. The Russian cybercriminal was openly bragging about his lifted stash of data in an online forum, and they even provided the company with the files to prove it in exchange for votes or likes to their social media pages.

The initial database consisted of 917 million records totaling over 10 GB, but the first batch of stolen credentials the hacker provided seemed unimpressive from a breach standpoint; the majority of the information was already identified, and appropriate measures were likely already taken to secure the companies or individuals affected. Only 0.45 percent of this data was considered new. What should you expect from a hacker that initially asked for only 50 rubles (less than $1.00 USD) for his talked-up treasure trove and then caved for a few likes on Facebook?

The Bad News

However, after digging deeper, Hold Security discovered the hacker was holding something significant back from the company’s undercover agents: a cache of 1.17 billion stolen email accounts from Yahoo, Gmail and Microsoft, in addition to Mail.ru accounts. The Russian cybercriminal provided this new and potentially more-damaging data set after some further investigation by Hold Security in exchange for (you guessed it) more praise on their social media pages.

The new batch of stolen credentials seemed to hit the three major players in the email game, with nearly 57 million Mail.ru, 40 million Yahoo Mail, 33 million Hotmail and 24 million Gmail accounts compromised. Thousands of credentials from German and Chinese email providers, in addition to logins for employees of some of the largest banking, manufacturing and retail companies located in the U.S are also listed in the stolen data.

The Good News

The company is still working to identify the specific breaches or vulnerabilities that allowed the hacker to gain access to the mega-sized data dump of stolen email logins, but Hold Security also determined that only 272 million of the 1.17 billion pilfered credentials were unique. The company estimated this translates to roughly 42.5 million viable credentials, which is about 15 percent of the total, something Hold Security says it has never seen before.

Despite the high amount of possibly-vulnerable email accounts, Microsoft has issued a statement to Reuters to assure its customers that they have little to fear.

“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access," read the statement.

Other companies such as Google and Yahoo have yet to comment on the breach. Mail.ru stated that it would warn potentially affected users once they have enough information, but the company’s initial checks found no live combinations of user names and passwords that match existing emails.

Hold Security also doubts the integrity of the stolen data, citing that the credibility and value of the stolen information may not be as impactful as the hacker boasts if they are willing to give up the data for some conversation and social media acclaim.

“50 rubles is what the hacker wants for this incredibly large set of data,” stated Hold Security. “He can’t be serious; based on today’s exchange rate, it is less than one U.S. dollar. This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction.”

It's Time For A Change (Of Passwords)

Despite what the eventual findings may be, if you are using an email account from one of the affected providers, you could (and should) save yourself from potential unauthorized access by changing your password right now. This time, just make sure it’s something more unique than “password.”

Derek Forrest is an Associate Contributing Writer for Tom’s Hardware and Tom’s IT Pro. Follow Derek Forrest on Twitter. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

 

  • DookieDraws
    Wow! I just did this less than a minute ago before coming here! CREEEEEPY! :P

    I changed my password to 0987654321ABCDE, so nobody use this, okay? :)
    Reply
  • problematiq
    While it's good to keep your password in rotation, it's been shown that this was a media hyped "Hack" most if not all the data was recycled from older hacks and or public data with some randomly generated emails salted in.
    Reply
  • hasten
    Wow! I just did this less than a minute ago before coming here! CREEEEEPY! :P

    I changed my password to 0987654321ABCDE, so nobody use this, okay? :)
    Dude. Now I have to change mine again... although I did it 2 hours ago, so it's only fair that you change yours...
    Reply
  • DookieDraws
    17922816 said:
    Wow! I just did this less than a minute ago before coming here! CREEEEEPY! :P

    I changed my password to 0987654321ABCDE, so nobody use this, okay? :)
    Dude. Now I have to change mine again... although I did it 2 hours ago, so it's only fair that you change yours...

    My bad. Okay, I went ahead and changed mine to 0987654321ABCDEF, so you can keep yours as is. I just added an F to mine so I wouldn't have to remember anything else. Now if I can just remember to add the F on the end.:pt1cable:
    Reply
  • pierrerock
    I have this thing : google send me a text to confirm my identity. Am i still good or do i need to change my password ?
    Reply
  • ledhead11
    WOW! I tried P@ssw0rd, 123456#Abcd, & D3f@ult and I'm still locked out. . . .maybe I got a $1 laying around somewhere. . .
    Reply
  • Caanis Lupus
    17922816 said:
    Wow! I just did this less than a minute ago before coming here! CREEEEEPY! :P

    I changed my password to 0987654321ABCDE, so nobody use this, okay? :)
    Dude. Now I have to change mine again... although I did it 2 hours ago, so it's only fair that you change yours...

    My bad. Okay, I went ahead and changed mine to 0987654321ABCDEF, so you can keep yours as is. I just added an F to mine so I wouldn't have to remember anything else. Now if I can just remember to add the F on the end.:pt1cable:

    https://www.youtube.com/watch?v=B-NhD15ocwA
    @pierrerock If you have that turned on you should be good to go since they would need the code from your text message, also will let you know IF someone is trying to connect to your account.
    Reply
  • gggplaya
    Every company should have the ability to do 2-step verification. Now i simply don't worry about it. Even if they steal the password, they still can't get in.
    Reply
  • hdmark
    but even with 2 step, i thought a big part of password breaches like this is that if you use any common passwords , they now have one of your passwords. not that its smart or that i do this (anymore...) but lets say my gmail pass was the same as my TD bank, they now have my email and pass.
    i guess this is a benefit of using things like password managers that randomly generate new passwords?
    Reply
  • gggplaya
    17924818 said:
    but even with 2 step, i thought a big part of password breaches like this is that if you use any common passwords , they now have one of your passwords. not that its smart or that i do this (anymore...) but lets say my gmail pass was the same as my TD bank, they now have my email and pass.
    i guess this is a benefit of using things like password managers that randomly generate new passwords?

    My Gmail, amazon and paypal are 2 step. None have been hacked since implementing 2 step. Someone tried to hack my paypal, but it kept sending me text messages with authorization codes, at like 3am. I literally got over 100 messages before i woke up and quickly changed my password. 2-step worked like it's supposed to. My godaddy was hacked because i didn't have 2-step, but after recovering my account(long process), i enabled 2 step on it and hasn't been hacked since.

    Anything else are just forums and random websites which don't handle my credit card info. Hacking them really doesn't gain them much.
    Reply