IT security expert offered 272mn hacked Google, Microsoft, Yahoo passwords for $1
Alex Holden, a Ukrainian-American who runs the Hold Security firm, told Reuters that he was trawling through a Russian hacker forum when he was offered a database containing 1.17 billion records for a symbolic sum of 50 rubles – less than $1. When Holden refused as a matter of company policy, the owner gave up the data in exchange for a positive comment on a hacker forum.
“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times,” said Holden, who has previously exposed details of wide-scale hacks at Target and JPMorgan.
Once in possession of the data, Hold Security eliminated duplicate accounts, paring the data down to 272.3 million individual records. The biggest breach appears to be from Mail.ru, Russia’s biggest email provider, which has 64 million active users. Some 57 million passwords from that service were in the database.
“An initial study of a random selection of entries has shown that it contains no valid passwords for live accounts,” said a statement from Mail.ru, which received the data trove directly from Holden without charge. “Also it contains different passwords for the same email address, suggesting that the database was compiled from different, other websites, where the email address was used as the login.”
“We are continuing to scan through the database, and as soon as we have more information, we will warn our users of any security risks,” said the London Stock Exchange-listed company, which is valued at over $4 billion.
Microsoft, which had 33 million IDs on the list, emphasized that its two-step verification process deters such breaches.
“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access,” said a statement from the Seattle giant.
Yahoo, which was featured 40 million times, and Google, which appeared 24 million times, have not put out any public statements.
As it remains unclear whether the passwords were to email inboxes or other sites, users of these services may be subject to further exposure. IT security experts recommend that users of the affected services change their passwords, or at least ensure that they are using two-step verification, wherever possible.