In the last day or so a number of media outlets have published some pretty scary-looking stories about a Russian hacker who is apparently trying to sell 272 million login credentials for some of the world’s biggest webmail providers… for less than $1.
The news came in the form of a press release from an outfit called Hold Security.
Here is just a handful of the reports:
- “Exclusive: Big data breaches found at major email services - expert”, Reuters.
- “Millions of Gmail, Hotmail and Yahoo email account details stolen in huge cyber attack, says security expert”, Metro.
- “Has YOUR account been hacked? Hundreds of millions of passwords stolen from Google and Yahoo users in major security breach”, Daily Mail.
- “Webmail firms probe login ‘leak’”, BBC News.
First, some facts.
1. We don’t know how many (if any) of the usernames and passwords in the database are genuine. Some might have been made up. Others might have been changed long ago.
2. There is nothing to suggest that there has been any attack against the likes of Gmail, Yahoo and Hotmail. If any of the stolen credentials are genuine, they may well have been gathered through phishing attacks or through home users having their computers infected by malware.
3. We only have Hold Security’s word for all of this.
What we do know is that there are “butterfly collectors” out there, who are interested in collecting large databases of usernames and passwords, but are somewhat more besotted with the size of their collection than its quality. They are not going to invest time in weeding out worthless entries.
In other words, the “hackers” don’t necessarily care if the credentials they are collecting work or not. After all, if you want to make a quick buck (or 50 rubles) then may be other collectors who will be similarly more impressed by the size of the database being offered than whether contains new or indeed working passwords.
Even Hold Security in its press release acknowledges that over 99% of the credentials it has scooped up from underground forums have been seen before, suggesting to me that they may have gone “stale” (if they were ever even “ripe”) long ago.
A spokeswoman for Mail.ru, one of the webmail providers mentioned by Hold Security, told BBC News that there did not appear to be any reason to panic just yet:
“A large number of usernames are repeated with different passwords. We are now checking whether any combinations of username/password match [active accounts] - and as soon as we have enough information we will warn the users who might have been affected. The first check of a sample of data showed that it does not consist of any real live combinations of usernames and passwords.”
What’s interesting about this is that we’ve been here before.
In 2014, Hold Security announced that it had stumbled across a database of over one billion stolen usernames and passwords, and received a shed-load of press coverage as a result.
Having sent many people into a blind panic, Hold Security pointed people towards its $120 per year breach notification service or a web form where users were invited to enter their email addresses and passwords to see if they were included in the haul.
As I recall, no-one independent ever confirmed the details of the 2014 breach either.