A massive data breach has been found in major email service providers — including the likes of Gmail and Yahoo. According to a report in Reuters, user names and passwords of 273.3 million email accounts have been exposed in the breach and are being traded in Russia’s criminal underworld.
The information was revealed to Reuters by security experts at Hold Security. According to founder and chief information security officer of Hold Security,Alex Holden, a majority of stolen accounts belonged to Russia’s most popular email service Mail.ru with about 57 million accounts affected.
And this is a huge number given the fact that there were about 64 million total monthly active email users on Mail.ru at the end of last year.
However, a small yet significant portion of accounts also belonged to Yahoo mail (40 million), Gmail (24 million), and Hotmail users (33 million). A large number of affected accounts belong to German and Chinese users and employees from US banking, manufacturing and retail companies.
Holden discovered the breach directly from the hacker who was apparently bragging about having massive email user data on an online forum.
He was ready to sell the entire data set for a sum of less than $1. But when Holden assured him of posting “favorable comments” about him in various hacker forums, he agreed to hand over the data to him.
This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times,
Although the number of affected users were comparatively small than the total number of email users around the world, but people usually are habitual of using their favorite passwords and hardly change them regularly despite the security recommendations.
So, this data breach could potentially lead hackers to use those passwords to break into other accounts of users. The company had already informed all affected email service providers about the breach 10 days ago as it is under the company policy to hand over the stolen data to affected companies.