272 Million Hacked Email Addresses and Passwords for Sale on Black Market

May 4, 2016, Written By Bill Hardekopf
Safety concept: pixelated words Email Security on digital background, 3d render

A security expert told Reuters that hundreds of millions of hacked email user names and passwords are being sold in Russia’s criminal underground.

Most of the 272.3 million accounts are from Mail.ru users, which is Russia’s most popular email service. However, Google, Yahoo and Microsoft email users have also been breached, according to Alex Holden, founder and chief information security officer of Hold Security.

Holden discovered the stolen data when he found a Russian hacker bragging in an online forum about stealing some 1.17 billion records.

After eliminating duplicates, Holden found that the cache contained nearly 57 million Mail.ru accounts (the service has 64 million active users), tens of millions of credentials for Gmail (24 million), Microsoft (33 million) and Yahoo (40 million) users, and hundreds of thousands of accounts from German and Chinese email providers.

For some reason, the hacker is charging only 50 roubles (less than $1) for all of the records, but he gave Hold researchers the data for free when they promised to post positive comments about him in hacker forums. Holden said that his company does not pay for stolen data.

“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden. “These credentials can be abused multiple times,” he said.

Other cybercriminals will purchase these credentials to pursue other break-ins or phishing attacks by reaching out to the contacts listed in compromised accounts. This increases the risk of financial theft.

Also, since most users stick to their favorite passwords, hackers will try using the passwords linked to stolen email accounts to hack into financial accounts or websites.

When it was informed of the potential breach, Mail.ru said in an email statement: “We are now checking, whether any combinations of usernames/passwords match users’ e-mails and are still active. As soon as we have enough information we will warn the users who might have been affected.”

The company added that its initial checks found no live combinations of user names and passwords that match existing emails.

While Yahoo and Google have not responded to requests for comments, a Microsoft spokesperson has confirmed the breach. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access.”



The information contained within this article was accurate as of May 4, 2016. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.