Photo via Andrés Moreira/Flickr (CC-BY-SA)
Major hacker collectives like Anonymous and Lizard Squad may have name recognition, but a security company recently found that one of the largest collections of stolen credentials belonged to a kid in a small town in Russia. The score includes massive amounts of accounts from the world's most popular email services.
The security experts at Hold Security have recovered a trove of over 1.17 billion accounts—including millions of Gmail, Yahoo Mail, Microsoft Hotmail credentials—from an enterprising hacker who has been dutifully collecting information from hacks and leaks. The pile of logins is one of the largest since a massive CyberVor breach in 2014 revealed 1.2 billion unique credentials.
In the process of monitoring the activity of hackers on the dark web, Holden and his analysts came across a hacker forum where the hacker—dubbed "the Collector" by Hold Security—had been claiming to be in possession of hundreds of millions of credentials. When the firm reached out to him to provide proof, he was able to verify his claims.
"When he provided this information, we saw that only 20 percent of it was unique and we had already seen the vast majority of the data already," Hold Secuirty Chief Information Security Officer Alex Holden told the Daily Dot. Even though the majority of the information was known, in a database that big it meant there were still 272 million unique credentials in the bunch.
The negotiation to get the hacker to turn over the information was unusual to say the least. While the Collector told Hold Security, “I am just getting rid of it but I won’t do it for free,” his asking price for the huge collection of credentials was about as close to free as one could get. The hacker asked for 50 rubles, which converts to about 7 cents. Holden said they were eventually able to get the hacker to trade the data in exchange for "a couple likes on his social media pages."
Holden said he's unsure why the asking price was so low. "We were expecting it to be something extortionate," he said. "What's alarming to me...is that if he's willing to give this away virtually for free, he probably had shared this not only with people from Hold Security but actually with the bad guys, the hackers who are possibly abusing or have abused this information already."
Included in the breach are 40 million credentials for Yahoo Mail accounts, 33 million from Hotmail, and nearly 24 million from Gmail. Holden pointed out that email addresses are often simply an identifier for another service, like social media or banking accounts. For example, a Gmail account name may be exposed, but it could be the key to log in to a Facebook account.
Holden suggested thinking of the credentials as keys and services as keyholes. The hacker and anyone else in possession of the Collector's database is armed with an incredible number of keys that can be tried in any lock. "Eventually there is going to be a match. Even a fractional of a percent of matches would mean potential exposure of hundred of thousands of individuals," he said.
The services that have been effected by the breach have been contacted by Hold Security and are aware of the compromised credentials. Holden and his team are working with the service providers to analyze the data and help alert users who may have been affected.
A Yahoo spokesperson told the Daily Dot, “We’ve seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We’ll update going forward.”
A spokesperson for Microsoft acknowledged the incident to the Daily Dot, stating, “Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
Another major service that has been left compromised by the Collector is Mail.ru, Russia's largest email provider. Nearly 57 million credentials from the platform, which touts 64 million monthly active users, were found in the collection. A spokesperson from Mail.ru informed the Daily Dot that the organization was aware of the report and had been in touch with Hold Security.
Mail.ru is currently in the process of checking the logins, many of which contain multiple passwords for a single email address—which would seem to validate Holden's theory that they may be keys to other accounts. "The first check of a sample of data showed, that it does not consist any real live combinations of usernames and passwords which are equal to e-mails," the spokesperson said.
For the time being, the collection of credentials will remain between Hold Security and the platforms that are listed in the collection, with the onus on the platforms to provide their users with any relevant information about their accounts being at risk.
Holden said his company is attempting to figure out the best way to make the information available securely so users may be able to find out if their account was caught in the various breaches that made up the database of logins. The last time it tried such a method, Hold Security became the target of attacks that failed to breach their protections but succeeded in making the information unavailable with DDoS attacks.
Because the information gathered by the Collector appears to have come from a variety of different breaches and hacks, there is no clear vulnerability to be patched up or action to be taken.
However, users can take steps to ensure their security in a variety of ways. Holden suggested activating two-factor authorization on any account when the feature is available. He also advocated using different passwords for different accounts and changing those passwords frequently.