272 Million login credentials found in the criminal underground

Hundreds of millions of hacked login credentials for email accounts and other websites are available in the Russian criminal underworld.

Security researchers at the Hold Security firm have discovered a young Russian hacker claiming to have acquired 1.17 billion stolen credential records.

Alex Hold, the founder and chief information security officer at Hold Security, explained he shocked when he verified that huge volume of stolen login credentials obtained by the hacker, is composed of more than 272.3 million stolen accounts.

The huge quantity of login credentials appears to be the cumulative results of many different security breaches.

The Reuters news agency discovered that the huge archive of stolen login credentials includes 57 million of mail.ru accounts.

“Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.” reported the Reuters. “The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.

The archive also includes tens of millions Yahoo Mail credentials, Microsoft Hotmail accounts, and Gmail email accounts.

“Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.”

A Microsoft spokesman confirmed the authenticity of the stolen login credentials, Yahoo and Google did not respond to requests for comment.

Thousands of credentials appear to belong employees of some of the largest US companies, including banks and retail firms.

The majority of stolen login credentials was already traded in the criminal underground, but 42.5 million credentials have not been seen in the underworld before.

“This kid from a small town in Russia,” writes Holden, “collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials – 15% of the total, that we have never seen before.”

This is one of the biggest stashes of stolen login credentials discovered in the recent years. On august 2014, experts at Hold Security discovered  the biggest database of stolen user names and passwords and email addresses, the news was reported by The New York Times that hired an independent security expert who verified the authenticity of stolen data.

The U.S.-based Internet security company have discovered the amazing amount of data, nearly 1.2Billion credentials and half a billion email addresses, that is considered the single biggest amount of stolen Internet identity information ever collected. The experts believe that the data was collected from the numerous data breaches occurred all over the world in the last months and that hit around 420,000 websites.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – stolen login credentials, hacking)