18 February 2019
The leak included tens of millions of credentials for the world's three biggest email providers: Gmail, Microsoft and Yahoo. Photo: Gawker
The leak included tens of millions of credentials for the world's three biggest email providers: Gmail, Microsoft and Yahoo. Photo: Gawker

Big data breaches found at major email services

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security.

It is one of the biggest stashes of stolen credentials to be uncovered since cyberattacks hit major US banks and retailers two years ago.

Holden was previously instrumental in uncovering some of the world’s biggest known data breaches that affected tens of millions of users at Adobe Systems, JPMorgan and Target and exposed them to subsequent cybercrimes.

The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.

After eliminating duplicates, Holden said, the cache contained nearly 57 million accounts — a big chunk of the 64 million monthly active email users said it had at the end of last year.

It also included tens of millions of credentials for the world’s three biggest email providers — Gmail, Microsoft and Yahoo — plus hundreds of thousands of accounts at German and Chinese email providers.

“This information is potent. It is floating around in the underground, and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden, the former chief security officer at US brokerage R.W. Baird.

“These credentials can be abused multiple times.”

Mysteriously, the hacker asked just 50 rubles — less than US$1 — for the entire trove but gave up the dataset after Hold researchers agreed to post favorable comments about him in hacker forums, Holden said.

Such large-scale data breaches can be used to engineer further break-ins or phishing attacks by reaching the universe of contacts tied to each compromised account, multiplying the risks of financial theft or reputational damage across the web.

Hackers know users cling to favorite passwords, resisting admonitions to change credentials regularly and make them more complex.

That’s why attackers reuse old passwords found on one account to try to break into other accounts of the same user.

– Contact us at [email protected]


EJI Weekly Newsletter

Please click here to unsubscribe