Hold Security, a company specializing in information security assessment, risk management and incident response, announced that it has discovered a cache of over 1.17 billion stolen online credentials from a Russian hacker that collected the data from a variety of breached sources, including Gmail, Yahoo and Microsoft.
To Catch A Hacker, Like Their Social Media Page
Hold Security was able to track down the hacker taking credit for the stolen information, and it wasn’t as hard as you might think. The Russian cybercriminal was openly bragging about his lifted stash of data in an online forum, and they even provided the company with the files to prove it in exchange for votes or likes to their social media pages.
The initial database consisted of 917 million records totaling over 10 GB, but the first batch of stolen credentials the hacker provided seemed unimpressive from a breach standpoint; the majority of the information was already identified, and appropriate measures were likely already taken to secure the companies or individuals affected. Only 0.45 percent of this data was considered new. What should you expect from a hacker that initially asked for only 50 rubles (less than $1.00 USD) for his talked-up treasure trove and then caved for a few likes on Facebook?
The Bad News
However, after digging deeper, Hold Security discovered the hacker was holding something significant back from the company’s undercover agents: a cache of 1.17 billion stolen email accounts from Yahoo, Gmail and Microsoft, in addition to Mail.ru accounts. The Russian cybercriminal provided this new and potentially more-damaging data set after some further investigation by Hold Security in exchange for (you guessed it) more praise on their social media pages.
The new batch of stolen credentials seemed to hit the three major players in the email game, with nearly 57 million Mail.ru, 40 million Yahoo Mail, 33 million Hotmail and 24 million Gmail accounts compromised. Thousands of credentials from German and Chinese email providers, in addition to logins for employees of some of the largest banking, manufacturing and retail companies located in the U.S are also listed in the stolen data.
The Good News
The company is still working to identify the specific breaches or vulnerabilities that allowed the hacker to gain access to the mega-sized data dump of stolen email logins, but Hold Security also determined that only 272 million of the 1.17 billion pilfered credentials were unique. The company estimated this translates to roughly 42.5 million viable credentials, which is about 15 percent of the total, something Hold Security says it has never seen before.
Despite the high amount of possibly-vulnerable email accounts, Microsoft has issued a statement to Reuters to assure its customers that they have little to fear.
“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access," read the statement.
Other companies such as Google and Yahoo have yet to comment on the breach. Mail.ru stated that it would warn potentially affected users once they have enough information, but the company’s initial checks found no live combinations of user names and passwords that match existing emails.
Hold Security also doubts the integrity of the stolen data, citing that the credibility and value of the stolen information may not be as impactful as the hacker boasts if they are willing to give up the data for some conversation and social media acclaim.
“50 rubles is what the hacker wants for this incredibly large set of data,” stated Hold Security. “He can’t be serious; based on today’s exchange rate, it is less than one U.S. dollar. This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction.”
It's Time For A Change (Of Passwords)
Despite what the eventual findings may be, if you are using an email account from one of the affected providers, you could (and should) save yourself from potential unauthorized access by changing your password right now. This time, just make sure it’s something more unique than “password.”