Russian hacker offers millions of e-mail IDs - for just $1
HUNDREDS of millions of hacked usernames and passwords for e-mail accounts and other websites are being traded in Russia's criminal underworld, said a security expert.
The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular e-mail service, and smaller fractions of Google, Yahoo and Microsoft e-mail users, said Alex Holden, founder and chief information security officer of Hold Security.
It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major United States banks and retailers two years ago.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.
After eliminating duplicates, the cache contained nearly 57 million Mail.ru accounts.
It also included tens of millions of credentials for the world's three big e-mail providers - Gmail, Microsoft and Yahoo - plus hundreds of thousands of accounts at German and Chinese e-mail providers.
Mysteriously, the hacker asked just 50 roubles (S$1) for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, said Mr Holden.
Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the Web.
Hackers know users cling to favourite passwords, which is why attackers reuse old passwords found on one account to try to break into other accounts of the same user.
A Microsoft spokesman said stolen online credentials was an unfortunate reality, and that it has security measures in place for proper verification.
Yahoo and Google did not respond to requests for comment.