|
 The discovery of 272.3 million stolen accounts included a majority
of users of Mail.ru, Russia's most popular email service, and
smaller fractions of Google , Yahoo and Microsoft email users,
said Alex Holden, founder and chief information security officer of
Hold Security.
It is one of the biggest stashes of stolen credentials to be
uncovered since cyber attacks hit major U.S. banks and retailers two
years ago.
Holden was previously instrumental in uncovering some of the world's
biggest known data breaches, affecting tens of millions of users at
Adobe Systems , JPMorgan and Target and exposing them to
subsequent cyber crimes.
The latest discovery came after Hold Security researchers found a
young Russian hacker bragging in an online forum that he had
collected and was ready to give away a far larger number of stolen
credentials that ended up totaling 1.17 billion records.
After eliminating duplicates, Holden said, the cache contained
nearly 57 million Mail.ru accounts - a big chunk of the 64 million
monthly active email users Mail.ru said it had at the end of last
year. It also included tens of millions of credentials for the
world's three big email providers, Gmail, Microsoft and Yahoo, plus
hundreds of thousands of accounts at German and Chinese email
providers.
"This information is potent. It is floating around in the
underground and this person has shown he's willing to give the data
away to people who are nice to him," said Holden, the former chief
security officer at U.S. brokerage R.W. Baird. "These credentials
can be abused multiple times," he said.
LESS THAN $1
Mysteriously, the hacker asked just 50 rubles – less than $1 – for
the entire trove, but gave up the dataset after Hold researchers
agreed to post favorable comments about him in hacker forums, Holden
said. He said his company’s policy is to refuse to pay for stolen
data.
Such large-scale data breaches can be used to engineer further
break-ins or phishing attacks by reaching the universe of contacts
tied to each compromised account, multiplying the risks of financial
theft or reputational damage across the web.
Hackers know users cling to favorite passwords, resisting
admonitions to change credentials regularly and make them more
complex. It's why attackers reuse old passwords found on one account
to try to break into other accounts of the same user.
After being informed of the potential breach of email credentials,
Mail.ru spokeswoman Madina Tayupova told Reuters: "We are now
checking, whether any combinations of usernames/passwords match
users' e-mails and are still active.
"As soon as we have enough information we will warn the users who
might have been affected," she said, adding that Mail.ru's initial
checks found no live combinations of usernames and passwords which
match existing emails.
[to top of second column] |
A Microsoft spokesman said stolen online credentials was an
unfortunate reality. "Microsoft has security measures in place to
detect account compromise and requires additional information to
verify the account owner and help them regain sole access."
Yahoo and Google did not respond to requests for comment.
Yahoo Mail credentials numbered 40 million, or 15 percent of the 272
million unique IDs discovered. Meanwhile, 33 million, or 12 percent,
were Microsoft Hotmail accounts and 9 percent, or nearly 24 million,
were Gmail, according to Holden.
Thousands of other stolen username/password combinations appear to
belong to employees of some of the largest U.S. banking,
manufacturing and retail companies, he said.
Stolen online account credentials are to blame for 22 percent of big
data breaches, according to a recent survey of 325 computer
professionals by the Cloud Security Alliance.
In 2014, Holden, a Ukrainian-American who specializes in Eastern
European cyber crime threats, uncovered a cache of 1.2 billion
unique credentials that marked the world's biggest-ever recovery of
stolen accounts.
His firm studies cyber threats playing out in the forums and
chatrooms that make up the criminal underground, speaking to hackers
in their native languages while developing profiles of individual
criminals.
Holden said efforts to identify the hacker spreading the current
trove of data or the source or sources of the stolen accounts would
have exposed the investigative methods of his researchers. Because
the hacker vacuumed up data from many sources, researchers have
dubbed him "The Collector".
Ten days ago, Milwaukee-based Hold Security began informing
organizations affected by the latest data breaches. The company's
policy is to return data it recovers at little or no cost to firms
found to have been breached.
"This is stolen data, which is not ours to sell," said Holden.
(Editing by Mark Trevelyan)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
