Millions of accounts for webmail providers leaked: Gmail, Yahoo Mail, Hotmail and more

kev216

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
Several high-profile email providers have been the subject of a leak of user account information, which includes usernames, email addresses and unencrypted passwords. The leak involves multiple services; popular names such as: Gmail, Yahoo Mail, Hotmail and Mail.ru.

The security firm that discovered the breach, Hold Security, believes that many of the accounts involved in this leak have not been previously leaked. According to its analysis there are over 272 million unique email and unencrypted password pairs, where 42.5 million have not been previously leaked.

Hold Security was able to get a hold of the data for free. The hacker originally asked for 50 roubles (equating to around 75 cents or 52 pence) for the entire list. Instead, an agreement was reached to provide the data for free if the firm was to post positive comments about the hacker in a forum.

The major worry with this breach is the hackers willingness to provide the data at no cost, or for virtually nothing. In a statement from Alex Holden, chief information security officer at Hold Security, he said:

What makes this discovery more significant is the hacker's willingness to share these credentials virtually for free, increasing the number of... malicious people who might have this information.

A breakdown of the major services affected showed the scale of the leak:

  • 57 million accounts for Mail.ru
  • 40 million for Yahoo Mail
  • 33 million for Hotmail
  • 24 million for Gmail
Mail.ru was the service most affected, having 57 million accounts leaked, although Yahoo Mail wasn't far behind with 40 million.

Statements from several of the providers have been released.

A spokeswoman for Mail.ru said that they are "now checking whether any combinations of username/password match" active accounts and will "warn the users who might have been affected".

Microsoft stated that they would require "additional information to verify the account owner and help them regain sole access", whilst explaining that they have measures in place to prevent access.

Google said that they are "still investigating, so we don't have a comment at this time".

Yahoo said that they have "seen the reports" and their "team is reaching out to Hold Security to obtain the list of accounts". They will provide further updates once they know more.

The concern of this leak does not lay solely with people being able to gain access to one's email account, but also that these details could be used to send bulk phishing emails.
 

Overlord

Level 10
Verified
Content Creator
Well-known
Feb 22, 2013
451
Such collections are often the effect of software that after obtaining logins, trying to match them with a password obtained from the infected browsers or acquired websites to which users have used the e-mail address as your username.
 

kev216

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
Not had any emails yet from google or hotmail yet?
What worried me it that onedrive is linked to my hotmail/outlook account so does that mean my files are at risk too?
Once you have the password for outlook/hotmail, the password and email of your onedrive is the same, so yes they can acces your files then. But as long as you don't see any unexpected behaviour, there is nothing to worry about. And if you want to be 100% sure, just login now and change your password, then nobody will have acces to your account, if you think you might be one of the victims of this hacking.
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
One of the biggest cyber attacks ever has left millions of email users at risk from being hacked. 272 million email accounts have been compromised, with Russian hackers obtaining user names and passwords. Gmail, Yahoo and Microsoft mail users are all thought to have been targeted, although the majority of the hack appears to have hit Mail.ru accounts.

IT Security experts from ESET, MIRACL, Veracode, AlienVault, Imperva, Lieberman Software and Centrify provide insight:

Ondrej Kubovič, Security Specialist at ESET:
“According to information provided by Hold Security, it seems to be a yet another large data breach, the origin of which was not found amongst users. In similar cases, good password hygiene can help minimize the potential damage such as always using unique password for each account/service.

On top of that, users should also opt for two factor authentication, if provided by the given service. This adds another layer of protection for their account and data, making it harder for the attackers to make use of hijacked data.”

Brian Spector, CEO at MIRACL:
“There is a certain irony about such a stash of passwords being stolen on world password day, and it’s a sad reminder of just how vulnerable this type of security really is.

The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that companies and individuals store and access online today. In order to retain their customers’ trust, online services need to remove the password from their systems altogether, and implement rigorous authentication technologies.

For now, anyone with a Google, Yahoo, Microsoft or Mail.ru email account should change their password immediately, not only for their email account but also for any other website where they may have used the same password. Unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web and as long as we use this outdated username and password system, we will be reading a lot more of these headlines.”

Paul Farrington, senior solution architect at Veracode:
“With increasing threats to both individuals and organisations, it has never been more critical to take a secure and direct approach to protecting passwords, through two-factor authentication security, and frequent scans of web applications. With cyber-attackers typically targeting the theft of money, intellectual property and / or our personal identities, this breach only serves as a further reminder of the upmost importance for businesses to ensure that sensitive data is safeguarded against cyber-criminals.”

Javvad Malik, Security Advocate at AlienVault:
“To find out if they’re affected, users could use a (reliable) lookup service like https://haveibeenpwned.com but even that isn’t really going to capture everything.

The main advice for customers is to not re-use passwords across different systems – so don’t use the same password you use for your email to access your online banking and Facebook etc. Investing in a password manager can help greatly. Also enabling 2FA wherever possible is strongly recommended. That way, even if someone has your id and password, they still can’t logon. Some sites also allow you to set alerts any time there is suspicious activity or a failed logon.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:
“What’s notable about this 272 million strong batch of stolen user info is that it’s being offered at such a low price. The black market for stolen electronic information about people is like every other market and sees price fluctuations. In the past, records like these may have gone for up to $0.30 apiece. To see 272 million of them going for $1 means the prices for our data is falling, which may be seen as good news. As prices get lower and the skill needed to grab the data gets higher, then maybe we’ll see market forces fighting the bad guys for us.

The bad guys who are stealing our data have the same motivations as most of the organizations they steal it from – profit. The bad guys are just building a more and more complete spreadsheet about everyone on earth as they breach this site and that. This batch of 272 million records is only notable for being a rather large single dump of such data. They want to sell that information off, and the more complete a record is on a person the more value it has on the black market. These shadowy folks will also often use data from one breach to power another. If they find a username and password on one site, they will try it on many others in case people are using the same one over and over like many people do. If they learn a birthday or anniversary, they check if that is a pin code or other type of passcode since so many use those things for that purpose.

After years of headlines every day about breaches, the everyday users who are going to let that scare them into good security practices have already done so. If you’re one of those people and you already use different passwords for different sites, practice safe browsing, and are suspect of any email that looks “phishy,” then you have little to fear from this news. If you operate a website where even a small chuck of this data may have been culled from and you have not yet adopted basic security measures to protect that information you hold, then maybe it’s time you realized that to make a database this large they had to hit everyone they could – maybe even you. Many feel they’re too small to be a target, but no target is too small when you’re goal it to take every scrap you can get and throw it into a pile this large.”

Chris Webber, Security Strategist at Centrify:
“This newest announcement further proves that we can no longer rely on passwords for security. An average person reuses a favorite or easy-to-remember password across multiple sites and apps. So if an average user has a personal email password, a personal fileshare password, and the same for work, that means these 272.3 million passwords unlock over a billion different apps, sites, and services.
“What’s worse, password theft is getting simpler every day. Forget about movie-style, brilliant-minded, sophisticated hackers. Forget about savvy criminals planning Ocean’s 11 style capers. Password harvesting can now be done by anyone clever enough to make a cat meme, or post a nasty comment on YouTube, thanks to simple downloadable toolkits.
“We have to protect ourselves much better – and today, that’s easy. Adding even simple multi-factor authentication (MFA), like SMS-based verification, would mean that all 272.3 million passwords stolen no longer provide access to anything. Today, those passwords are all you need to gain access. With MFA, those passwords are only part of the key – and accounts will remain safe against today’s most common attacks.”
source: 272 Million Email Accounts Hacked - Information Security Buzz
 
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top