The hacker claims he only wanted 50 rubles – approximately 75 cents – for all of the information, but ended up simply exchanging them for “likes” on his social media page and some favorable comments about him in hacker forums, according to cyber security experts.
The obtained credential information breaks down as follows – over 57 million from Mail.ru accounts (the service currently has 64 million total users), 40 million from Yahoo Mail accounts (15 percent), 33 million from Microsoft Hotmail accounts (12 percent), and 24 million from Gmail accounts (9 percent), according to Holden Security LLC which recovered the information. The security group told International Business Times that 85 percent of the accounts were repeats from previous public data breaches, but the collection is now “the biggest [credential cache] amassed by a single individual.”
Holden, a Ukrainian-American who specializes in Eastern European cybercrime threats, does not negotiate with hackers for stolen data. Instead, if an individual has something new and valuable to offer, his company is trained to bring a careful non-incentivizing approach to the table.
“We start our dance; ask, negotiate, finagle, anything permissible to get the data without rewarding the bad guys for their work,” the company says in its recent blog post. “After seeing most everything, and hearing even more, we have become skeptics, analyzing every bit of information we come across. Hence, when someone claims to have 900 million credentials in a single batch, we have to approach it with curbed enthusiasm.”
So in return, Holden Security did exactly what the hacker wanted and gave him some “likes” on his social media webpage.
Microsoft and Mail.ru respond, Yahoo and Google remain quiet
"As soon as we have enough information we will warn the users who might have been affected," Mail.ru said in an email to Reuters. Mail.ru company officials said that initial checks have found no live combinations of user names and passwords which match existing emails.
A Microsoft spokesman said that online credential breaches are an unfortunate reality. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."
For some reason or another, however, Google and Yahoo declined to comment on the breach.
Meanwhile, 4 million of the stolen credentials were never seen in any previous data breaches and are now being processed and distributed to cybersecurity firms and research teams.
Security breaches are not “few and far in between” right now and victims need to be made aware
As HoldSecurity.com notes, the business of recovering stolen credentials is easier said than done. In October 2013, an Adobe security breach ended up with hackers stealing nearly 153 million user accounts. In this event, customer passwords were actually stored pretty securely in the Data Encryption Standard (DES) format. Unsurprisingly, however, the most commonly used passwords on people’s accounts were ‘123456,’ ‘password,’ ‘123456789’ and ‘qwerty.’
Again in 2014, Hold Security LLC said it had uncovered 360 million stolen credentials that are available on cyber black markets, though their origins were unidentified. Alex Holden, chief information security officer at the company, said the records were likely obtained in separate attacks, but that 105 million were pulled from a single credential breach – one of the largest breaches at the time.
The 105 million record was very unfortunately toppled in October 2015, when Holden Security LLC revealed a Russian cyber gang was in possession of 1.2 billion unique credentials belonging to over half a billion email addresses – the largest breach known to date. The Russian cyber gang allegedly robbed over 420,000 websites and FTP sites to obtain this detrimental amount of private information. More specifically, it used SQL injection vulnerabilities in a majority of the breaches and mostly focused on acquiring credentials pairs (email and password combinations).
Hold Security LLC has now partnered with major corporations to provide them with Deep Web Monitoring and Threat Intelligence services that analyze intelligence on specific industry threats. The results are then extrapolated to determine the most likely impact to an organization, along with mitigation strategies including near real-time alerts, real-time chat room monitoring, Botnet monitoring and domain name impersonations, among other monitoring services. At today’s rate, the company’s cyber intelligence division recovers about 100 million stolen credentials per month.
How do unaware credential victims learn of their breach status?
Thankfully, there is a useful website called www.haveibeenpwned.com created by Troy Hunt as a free resource for anyone to quickly assess whether their email credentials may have been compromised in a corporate data breach over the past several years.
Hunt is a Microsoft Regional Director and MVP awardee for Developer Security and has been passionate about helping identity theft victims learn of any specific compromised accounts. Microsoft’s Regional Directors are a select group of non-employee independent developers who act as unpaid evangelists to the developer community for certain Microsoft technologies.
The site includes an option to notify users in the event their email credentials may have been breached, but will first send a verification email to confirm an address.