Hacker Gives Away 272 Million Stolen Accounts for $1

Stolen usernames and passwords from Yahoo, Google and Microsoft's webmail services are reportedly being traded by Russian criminals. They are said to be among a batch of 272.3 million accounts, though most are from a popular Russian service.

The trade has been revealed by Hold Security in a discussion with Reuters. Hold's founder says his staff uncovered the batch when trawling an online forum used by hackers.

The person who provided the information claimed he had a total of 1.17 billion records, but agreed to hand over a portion of them. It seems that while many criminals buy and sell such records for relatively large amounts, this hacker was more interested in the prestige and was offering the files for less than a dollar.

Even at that price, Hold's staff refused to pay, citing a company principle of not paying for stolen information. Instead they persuaded the hacker to pass on the details in return for favorable posts about him in online forums.

Russian Firm Hit Hard

With duplicates removed, the files covered 272 million different users. Around 57 million were from Mail.ru, a Russian webmail provider. That's an astonishing number given the company reports having 64 million active users.

The haul also reportedly included details of 40 million Yahoo Mail accounts, 33 million Hotmail accounts and 24 million Gmail accounts, alongside those for services in China and Germany. (Source: reuters.com)

Hold Security passed on the files to the relevant companies 10 days ago and gave them time to deal with them before going public. Mail.ru says it is examining whether the data is up to date before contacting affected customers, but says many of the username/email combinations may be outdated or bogus.

Phishing Boom May Follow

Security experts say there's likely no need for immediate panic, but have warned that there's a risk that the hacker may pass on the data to less reputable recipients. For that reason, users should watch out for an increase in phishing emails if cybercriminals get hold of the email addresses. (Source: bbc.co.uk)

The incident should also serve as a reminder of the importance of not using the same passwords for multiple services, particularly ones which can allow access to confidential data such as emails and online banking.

What's Your Opinion?

Are you concerned that a hacker may be giving passwords away so cheaply, meaning they could be seen by many criminals? Do you think the low asking price means the data probably isn't accurate? Should webmail companies do more to keep users safe and secure?