Hacker selling over 272 million webmail passwords for $1? Don't panic

This may very well be a non-story.

Two sides of the moon

In the last day or so a number of media outlets have published some pretty scary-looking stories about a Russian hacker who is apparently trying to sell 272 million login credentials for some of the world's biggest webmail providers... for less than $1.

The news came in the form of a press release from an outfit called Hold Security.

Here is just a handful of the reports:

First, some facts.

1. We don't know how many (if any) of the usernames and passwords in the database are genuine. Some might have been made up. Others might have been changed long ago.

2. There is nothing to suggest that there has been any attack against the likes of Gmail, Yahoo and Hotmail. If any of the stolen credentials are genuine, they may well have been gathered through phishing attacks or through home users having their computers infected by malware.

3. We only have Hold Security's word for all of this.

What we do know is that there are "butterfly collectors" out there, who are interested in collecting large databases of usernames and passwords, but are somewhat more besotted with the size of their collection than its quality. They are not going to invest time in weeding out worthless entries.

In other words, the "hackers" don't necessarily care if the credentials they are collecting work or not. After all, if you want to make a quick buck (or 50 rubles) then may be other collectors who will be similarly more impressed by the size of the database being offered than whether contains new or indeed working passwords.

Even Hold Security in its press release acknowledges that over 99% of the credentials it has scooped up from underground forums have been seen before, suggesting to me that they may have gone "stale" (if they were ever even "ripe") long ago.

A spokeswoman for Mail.ru, one of the webmail providers mentioned by Hold Security, told BBC News that there did not appear to be any reason to panic just yet:

"A large number of usernames are repeated with different passwords. We are now checking whether any combinations of username/password match [active accounts] - and as soon as we have enough information we will warn the users who might have been affected. The first check of a sample of data showed that it does not consist of any real live combinations of usernames and passwords."

What's interesting about this is that we've been here before.

In 2014, Hold Security announced that it had stumbled across a database of over one billion stolen usernames and passwords, and received a shed-load of press coverage as a result.

Having sent many people into a blind panic, Hold Security pointed people towards its $120 per year breach notification service or a web form where users were invited to enter their email addresses and passwords to see if they were included in the haul.

As I recall, no-one independent ever confirmed the details of the 2014 breach either.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

6 Responses

  1. Peter Vogel

    May 5, 2016 at 2:56 pm #

    Was wondering about this too yesterday. Particularly interesting was the claim by the Hold representative that the hacker didn't really want payment for the trove, just some nice mentions in a particular forum.

  2. Karl

    May 5, 2016 at 3:16 pm #

    At first read I thought, perhaps I am due a password change. After my Lastpass password security audit I found my common webmail passwords are around 10 months old (I try and change passwords yearly). Then I thought, actually I am safe because I do not type my passwords in random places or enter competitions to win iPads. An additional security measure, I use 2FA where available and every single website has a unique password. Either way, I am due a password change in the coming months.

  3. Dave B.

    May 5, 2016 at 8:15 pm #

    Curiously enough, I got an email from my sister this morning saying she was getting a number of undeliverable returns in her comcast inbox, all with a mail.ru address, coincidence?

  4. Sean

    May 5, 2016 at 9:02 pm #

    Its valuable data, can be used for Hadoop analysis. Wish I could get it without passwords mentioned

  5. DataBit CyberServices SA (INC)

    May 6, 2016 at 12:09 am #

    Hold Security is well-known for fake post about security breaches. (They become fame and can sell therefore more own products)
    – So, I also do not believe any word about this breach.

    Biggest breach in the Internet history, they said…
    …Sure, and Hold Security is again the only pc security company that discovered this. ;)

  6. Geetu

    May 6, 2016 at 4:07 am #

    Mainstream just sees the big names Gmail, Yahoo and propagates without even verifying or understanding the item. It is thanks to Graham Cluley's blog that we get to know what it really is.

Leave a Reply