May 5, 2016 by

Hacker Trades Hundreds of Millions of Stolen Gmail & Yahoo Email Credentials

Hold Security, an independent security firm has revealed that hundreds of millions of hacked and stolen email credentials including user names and passwords were recovered after an exchange with a Russian hacker.

Hold Security has announced the discovery of 272.3 million stolen email account credentials of users of services such as Google, Yahoo, Microsoft and popular Russian email service provider, Mail.ru.

The substantial discovery is one of the largest stashes of stolen credentials to be uncovered in recent times.

The hacker, a young Russian national, was discovered bragging in an online forum that he had collected and was even ready to give away a huge stash of stolen credentials, totaling at 1.17 billion records.

Speaking to Reuters, Alex Holden, founder and chief information security officer of Hold Security stated that the big cache contained nearly 57 million Mail.ru accounts, even after eliminating duplicates. The cache also included tens of millions of credentials from three of the world’s biggest email providers – Gmail, Microsoft and Yahoo.

Holden stated:

This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times.

According to Holden:

  • Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered.
  • Microsoft Hotmail accounts numbered 33 million, or 12 percent of the unique IDs.
  • Gmail accounts numbered 24 million, or 9 percent of the unique IDs.

Holden also revealed that thousands of other stolen combinations of usernames and passwords appeared to belong to the employees of some of the largest banks, manufacturing companies and retailers in the United States.

Related article: Smart Refrigerators Leave Gmail Logins Vulnerable to Exploits

In exchange for the entire trove, the hacker sought only 50 roubles, less than $1. Holden did not pay however, as it goes against the company’s policy to do so. Instead, the hacker gave away the stolen credentials after Hold Security agreed to upvote or ‘like’ the hacker’s social media pages.

Researchers at Hold Security have dubbed the hacker ‘the Collector’ after his substantial trove and the entire account of exchange with the hacker and the report itself can be found here.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Canadian Hacker Pleads Guilty to Yahoo Breach Instigated by Russia

A Canadian national accused by the United States of helping Russian intelligence agents breach into...

Read more arrow_forward

Yahoo! Still Doesn’t Know Cause Behind Biggest Data Breach Ever

Former Yahoo CEO Marissa Mayer has admitted that the web giant still doesn’t know the cause behind...

Read more arrow_forward

Yahoo: All 3 Billion Accounts Impacted by 2013 Data Breach

Yahoo has announced that the massive data breach in August 2013 has affected every single user of...

Read more arrow_forward