A report from Reuters suggests that over 270 million hacked email credentials—including those from Gmail, Hotmail and Yahoo—are circulating among Russian digital crime rings.
Reuters reports that an investigation by Hold Security revealed the huge stash of login details, that are said to be being traded among criminals. Many of the credentials relate to the Russian email service Mail.ru, but the team has also identified details from Google, Yahoo and Microsoft.
Update: There may, however, not be too much cause for concern, as Motherboard points out that the data may in fact be taken from a series of older hacks, which means the credentials are likely useless.
The team from Hold Security was offered a tranche of 1.17 billion email user records in an online forum, and asked to pay just $1 for a copy of the data. The team refused to pay for stolen data, but was given the information anyway when it offered to post positive comments about the hacker online.
The team has since sifted through the data set to remove duplicates, revealing that it contains 270 million unique records. Alex Holden, the founder of Hold Security, told Reuters that the data was “potent,” adding that the “credentials can be abused multiple times.”
Hold Security has apparently alerted all of the affected email providers. Mail.ru, Google, Yahoo and Microsoft are all now investigating the situation.
A Microsoft spokesperson told Gizmodo that “unfortunately, there are places on the internet where leaked and stolen credentials are posted,” adding that it “has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
It may be that the stash is out of date and doesn’t present too much of a security threat—though, of course, it could be a new pool of data, in which case the accounts included in the tranche could be at risk. Initial reports to the BBC from Mail.ru suggest that, from a sample of the records, there may not be many live email-passwords combinations in the data.
But it may be a good time to refresh your password anyway.
Update 07:43am EST: The article was updated to include a comment from Microsoft made in response to a request from Gizmodo.
Update 08:02 EST: The article was updated to point out that the data appears to be a collection of data from older data breaches..