Changing your passwords on a regular basis is sensible, especially in light of a recent report from Reuters, which suggests that over 270 million usernames and passwords for email accounts have been breached and are being used by “Russia’s criminal underworld.”
Alex Holden, chief information officer at Wisconsin-based security company Hold Security, said his firm had discovered a Russian hacker offering to sell a cache of around 1.17 billion stolen credentials for 50 roubles (75 cents).
Hold Security refuses to pay for stolen information, but the data was handed over after the company agreed to post flattering comments about the hacker on a members-only forum.
After removing the duplicates, the team discovered that the trove contained 272.3 million unique records, including 57 million accounts from Russian email service Mail.Ru, 40 million from Yahoo mail, 33 million Hotmail accounts, and 24 million Gmail credentials.
There were also hundreds of thousands of email addresses from Germany and China, along with thousands of usernames and passwords belonging to employees from US banking, manufacturing and retail companies.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him,” said Holden.
Hold Security has informed the affected email providers. Mail.Ru said it was now investigating which passwords are linked to current email accounts. "As we have enough information we will warn the users who might have been affected," the company said in a statement. "Mail.Ru email service has been working hard to continuously improve its security system."
Microsoft acknowledged that hackers posting stolen credentials is a problem. "Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these, or someone sends them to us, we act to protect customers," a spokesperson said. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account."
Google and Yahoo did not respond to requests for comment.
How much of a threat this information poses is unclear. It’s possible that a great deal of it may be out of date, but the biggest risk comes from people’s penchant for using the same login credentials on multiple sites, which could lead to further breaches.