Chevron icon It indicates an expandable section or menu, or sometimes previous / next navigation options. HOMEPAGE

Russian hacker tries selling 272 million stolen Gmail, Hotmail, and other accounts for $1

Hacker
Shutterstock

A Russian hacker harvested hundreds of millions of stolen account credentials from a number of popular email services and tried to sell them for less than $1, Reuters reports.

Advertisement

The anonymous hacker was spotted by researchers with Hold Security advertising his trove of accounts on a dark web forum. Analysts with Hold reached out and asked for a dataset to verify, and began negotiating. The hacker only wanted 50 rubles, or less than a buck.

"I am just getting rid of it but I won’t do it for free," the hacker purportedly wrote to the analysts. Eventually the hacker gave up the data for nothing more than social media likes and votes on his page at VKontakte, a social network alternative to Facebook that's most popular in Russia.

Minus duplicates of usernames and passwords, the data contained roughly 57 million accounts from Mail.ru, or more than half the number of people using Russia's leading email service.

A Mail.ru spokesperson told Reuters, "We are now checking, whether any combinations of usernames/passwords match users' e-mails and are still active."

Advertisement

Forty million credentials came from Yahoo Mail, 33 million came from Microsoft's Hotmail, and 24 million came from Google's Gmail, Hold Security's Alex Holden told Tech Insider. Other email services from China and Germany were also in the data.

Google spokesperson Aaron Stein told Tech Insider his company does not comment on specific incidents. But he did offer a 2014 blog post from the company's security team on the unfortunate reality of "password dumps" like this one, which said: 

"It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources."

Microsoft provided Tech Insider with the following statement:

Advertisement

"Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account."

Yahoo told TI: "We’ve seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We’ll update going forward."

Whether or not your email account is caught in the breach, it might be good idea to change your password to something stronger, and enable two-factor authentication that will make it close to impossible for anyone to breach your account with just your login information.

Holden told TI his firm was working with the services affected to notify them of potentially vulnerable email accounts.

Advertisement

"We already reached out and keep reaching out to different services that have a lot of those credentials," he said.

This post was updated on 5/4 10:00 and 10:18 a.m. PDT with a statement from Microsoft and Yahoo, respectively.

Cybersecurity Gmail
Advertisement
Close icon Two crossed lines that form an 'X'. It indicates a way to close an interaction, or dismiss a notification.

Jump to

  1. Main content
  2. Search
  3. Account