Hacker Gives Away 272 Million Stolen Accounts for $1

John Lister's picture

Stolen usernames and passwords from Yahoo, Google and Microsoft's webmail services are reportedly being traded by Russian criminals. They are said to be among a batch of 272.3 million accounts, though most are from a popular Russian service.

The trade has been revealed by Hold Security in a discussion with Reuters. Hold's founder says his staff uncovered the batch when trawling an online forum used by hackers.

The person who provided the information claimed he had a total of 1.17 billion records, but agreed to hand over a portion of them. It seems that while many criminals buy and sell such records for relatively large amounts, this hacker was more interested in the prestige and was offering the files for less than a dollar.

Even at that price, Hold's staff refused to pay, citing a company principle of not paying for stolen information. Instead they persuaded the hacker to pass on the details in return for favorable posts about him in online forums.

Russian Firm Hit Hard

With duplicates removed, the files covered 272 million different users. Around 57 million were from Mail.ru, a Russian webmail provider. That's an astonishing number given the company reports having 64 million active users.

The haul also reportedly included details of 40 million Yahoo Mail accounts, 33 million Hotmail accounts and 24 million Gmail accounts, alongside those for services in China and Germany. (Source: reuters.com)

Hold Security passed on the files to the relevant companies 10 days ago and gave them time to deal with them before going public. Mail.ru says it is examining whether the data is up to date before contacting affected customers, but says many of the username/email combinations may be outdated or bogus.

Phishing Boom May Follow

Security experts say there's likely no need for immediate panic, but have warned that there's a risk that the hacker may pass on the data to less reputable recipients. For that reason, users should watch out for an increase in phishing emails if cybercriminals get hold of the email addresses. (Source: bbc.co.uk)

The incident should also serve as a reminder of the importance of not using the same passwords for multiple services, particularly ones which can allow access to confidential data such as emails and online banking.

What's Your Opinion?

Are you concerned that a hacker may be giving passwords away so cheaply, meaning they could be seen by many criminals? Do you think the low asking price means the data probably isn't accurate? Should webmail companies do more to keep users safe and secure?

Rate this article: 
Average: 4.7 (7 votes)


Dennis Faas's picture

Selling all that information for $1.00 seems incomprehensibly cheap; surely that much information (if it were valid) is worth thousands more. I'm willing to bet that the data is either incredibly old, outdated, or entirely bogus.

Doccus's picture

"lol" pfft" Gag" I no tht hkr" "wht a nice gy" Etc etc etc.
I don't know, really think he could have been persuaded to surrender them gratis instead of for a dollar, for 'favorable' posts about him, if they were all just "old, outdated, or entirely bogus" ? Don't think he'd get too many.
Anyways, if that were so, as long as everyone thought they were valid, their accounts would have been safe. Now maybe all these hackers are going to try to update their info. Rotten days are here for everyone, for a while, anyways... I'm going to be abswering my relatives calls a lot more, it seems.. "Stop! Dont! click that llink! .. no.. it *doesn't mean your credit card ios frozen" "no paypal is NOT hosted on ezeSx dotcom"" "No your accounts *aren't* frozen unless you click that email link" DON'T do ANYTHING until I get there"