Security researchers have revealed a hacker bragging online that he’d amassed a mountain of passwords, but he didn’t want much in return for them.
That’s the message coming from a hacker who traded more than 272 million account credentials to a cybersecurity company in exchange for praise on a social media platform for hackers.
The passwords and usernames belonged to accounts from Russia’s largest email provider, Mail.Ru, as well as a smaller number of accounts each from Gmail, Yahoo Mail and Microsoft Hotmail. Though it doesn’t mean there was a breach of the email services themselves, the cache, first reported by Reuters, contains a huge amount of data. Cyber security experts said trades like this are an everyday occurrence and show how exposed our passwords really are.
Alex Holden, chief information officer at Hold Security and a cybersecurity researcher who specializes in Eastern European hacking, said the hacker originally offered the cache to the company for the equivalent of just $11, but after some negotiating provided the information in exchange for plaudits on a members-only hacking forum.
“He didn’t value this data,” Holden said.
Mail.Ru said the company was examining the data to see how many passwords were presently connected to email accounts.
“As we have enough information we will warn the users who might have been affected. Mail.Ru email service has been working hard to continuously improve its security system,” the company said in the statement.
Yahoo said it is also trying to examine the list of credentials.
“We’ve seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We’ll update going forward,” the company said in a statement.
Microsoft didn’t confirm whether its users were affected by this data dump, but it did note that the posting of passwords is a problem.
“Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these, or someone sends them to us, we act to protect customers.
“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account,” a Microsoft spokesman said in a statement.
Google declined to comment on the specific incident. The company wrote a blog post in 2014 about the problem of “password dumps,” offering tips to users on what to do when such lists are posted online.