Hacker Trades Hundreds of Millions of Stolen Gmail & Yahoo Email Credentials

Hold Security, an independent security firm has revealed that hundreds of millions of hacked and stolen email credentials including user names and passwords were recovered after an exchange with a Russian hacker.

Hold Security has announced the discovery of 272.3 million stolen email account credentials of users of services such as Google, Yahoo, Microsoft and popular Russian email service provider, Mail.ru.

The substantial discovery is one of the largest stashes of stolen credentials to be uncovered in recent times.

The hacker, a young Russian national, was discovered bragging in an online forum that he had collected and was even ready to give away a huge stash of stolen credentials, totaling at 1.17 billion records.

Speaking to Reuters, Alex Holden, founder and chief information security officer of Hold Security stated that the big cache contained nearly 57 million Mail.ru accounts, even after eliminating duplicates. The cache also included tens of millions of credentials from three of the world’s biggest email providers – Gmail, Microsoft and Yahoo.

Holden stated:

This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times.

According to Holden:

  • Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered.
  • Microsoft Hotmail accounts numbered 33 million, or 12 percent of the unique IDs.
  • Gmail accounts numbered 24 million, or 9 percent of the unique IDs.

Holden also revealed that thousands of other stolen combinations of usernames and passwords appeared to belong to the employees of some of the largest banks, manufacturing companies and retailers in the United States.

Related article: Smart Refrigerators Leave Gmail Logins Vulnerable to Exploits

In exchange for the entire trove, the hacker sought only 50 roubles, less than $1. Holden did not pay however, as it goes against the company’s policy to do so. Instead, the hacker gave away the stolen credentials after Hold Security agreed to upvote or ‘like’ the hacker’s social media pages.

Researchers at Hold Security have dubbed the hacker ‘the Collector’ after his substantial trove and the entire account of exchange with the hacker and the report itself can be found here.