An exclusive report from Reuters on May 5, 2016 revealed that 272.3 million user names, passwords, and e-mail accounts were stolen in a major data breach — and now they’re being traded in Russia’s criminal underworld.
Reuters received news of the discovery from Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security. Researchers at Hold Security caught wind of the breach after coming across a young Russian hacker bragging in an online forum; the hacker said he had 1.17 billion records that he was willing give away for free.
“It [the information] is just floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” said Holden.
Holden and his team went through the data and eliminated duplicates. They found almost 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail addresses. There were also hundreds of thousands of German and Chinese email providers, along with username/password combinations that seem to belong to employees of major banking, manufacturing, and retail companies.
Hold began notifying affected organizations about two weeks ago and returned all recovered data to those companies.
How the E-mail Providers Are Responding to the Breach
Because the stolen user information was just recently discovered, many of the affected e-mail providers are still investigating and deciding the best course of action.
“We are now checking whether any combinations of usernames/passwords match users’ e-mails and are still active.” said Mail.ru in an e-mail statement to Reuters. “As soon as we have enough information we will warn the users who might have been affected.”
Speaking with Mashable, a Microsoft spokesperson said, “Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
Google and Yahoo have not commented on the breach yet.
What You Can Do to Protect Your E-mail Account
Chances are, if you had your e-mail account information stolen, you would have encountered some red flags by now. You may have received alerts that someone incorrectly entered your password too many times, or that someone logged into your account from an unfamiliar location. Any time you receive these types of notifications, it’s a good idea to change your password immediately — just in case. Even if you have not had any issues with your e-mail account yet, you may want to change your password to be safe (especially if you use one of the affected e-mail providers).
Learn more about how to keep your online passwords safe in today’s digital age.