Archer

Update: Yahoo sent a statement at 1:25 pm on May 6.

Our security team has investigated and we don’t believe there is any significant risk to our users based on the claims shared with the press. We always encourage our users to create strong passwords (here are some tips), or, even better, eliminate use of passwords altogether by using Yahoo Account Key.

Hacker trades enormous database of pilfered credentials for a few “likes” on social media.

Is it a stolen treasure, at last on its way back to its rightful owners? Or digital garbage, painted to look like pearls?

Investigators are searching now to see and verify what is inside the database that a hacker tried to sell in the dark shadows of the Internet, claiming it held a billion stolen usernames and passwords.

“We’ve never seen this amount of credentials on the black market,” said Alex Holden of Hold Security.

Holden said his company spends time monitoring the web’s underbelly, trying to get stolen credentials back from hackers, and in this case, found a massive trove from a cyber peddler in central Russia—1.17 billion records.

Some of the records were repeats, he said, but the cache still yielded 272 million stolen credentials from some of the world’s largest e-mail services, including Gmail, Yahoo, Microsoft and Mail.ru.

“That’s a significant amount and that’s extremely unusual,” he said. “It’s bizarre by itself. But this person was going to give this information away for virtually free.”

Mysterious data

This case began like many password recovery operations Holden’s company carries out.

“We reached out on a place where hackers congregate to a hacker who said, ‘I have a lot of stolen data. I want to get rid of it,’” he said.

The hacker provided samples that proved to be real, Holden said, but also dropped a bombshell—his price tag.

“He asked for 50 rubles,” he said. “By the current exchange rate, it’s less than a dollar.”

Holden estimates the seller could have received several thousand dollars for a cache that size, if he had sold at the going rate.

“This greatly impacts the data’s credibility and value, similar to an expensive sports car being sold for pennies at auction,” reads a blog post about the incident on Hold Security’s site.

Get the data

Still, Holden and his crew wanted the records. And they were not willing to pay even a few cents.

“We never try to feed the hackers with money,” he explained.

The hacker then turned his request from dollars to popularity on social media.

“To add more for votes to his Russian social media page,” said Holden. “Just also very laughable because he asked initially for seven votes, then for fifteen more votes.”

They placed the votes, and in return received a link to a massive database that took more than an hour to download. After multiple exchanges of votes and data, the transfer was complete.

“At the end, this kid from a small town in Russia collected an incredible 1.17 billion stolen credentials from numerous breaches that we are still working on identifying,” the post said.

Inside the database

Out of the unique credentials, 24 million were for Gmail accounts, 33 million were for Microsoft Hotmail, 40 million were for Yahoo e-mail, and 57 million were accounts at Mail.ru, a Russian e-mail service provider, reported Reuters.

There were also accounts for German and Chinese accounts and “thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies,” according to Reuters.

But Holden said his company has seen 85% of the credentials before, meaning that they may come from past thefts and breaches, and the owners may have already been notified that their accounts were compromised.

The total of “new” credentials is 42.5 million usernames and passwords that his company has not seen before, according to Holden—more than 40 million people whose accounts may be at risk.

Hold Security has recovered large amounts of stolen credentials from hackers in the past, reported Reuters, including a 360 million record collection in 2014.

Breach or no breach?

Malicious hackers don’t need to attack your e-mail service provider to get your e-mail credentials, according to Holden.

“An address from e-mail providers does mean that e-mail providers are breached or people’s e-mail accounts have been compromised,” he said.

“You use your e-mail address for your user ID for a great many services,” Holden said. “You may be logging into Facebook. You may be logging into Twitter. You may also be logging into a bunch places that you don’t put any value into with your username and password.”

“The users need to be cognizant that potentially their credentials have been put on the black market without ever knowing it,” he said.

How did the hacker get them?

The hacker did not steal all of the records himself, Holden surmises.

“We are really not dealing with a mastermind,” he said. “After all, he asked to ‘like’ his social media page.”

The hacker may have pilfered it not from businesses, but from other hackers, Holden theorizes. So it’s possible that other hackers have access to the same data. But that data might lose its value if Holden’s crew exposes the theft and people change their e-mail passwords.

How will you know if you’re compromised?

Holden’s company contacted the e-mail service providers and other organizations affected, so that they could check out the data and notify victims.

“We can’t really send out 272 million e-mails,” Holden said.

“We are providing this information to a lot of companies saying, ‘Okay, can you can protect your users and alert them if their accounts have been breached?’” he said.

Your e-mail service provider

Archer News checked with the four large e-mail providers found in this mysterious data collection. 

“Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers,” a Microsoft spokesperson said in an e-mail to Archer News. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.” 

A Yahoo spokesperson told Tech Insider, “We’ve seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We’ll update going forward.”

A spokesperson from Google said the company does not comment about specific incidents, according to Tech Insider, but referred to a 2014 Google blog post on these kinds of situations.

The post said, “It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.”

“For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others,” the post continued. “Or attackers can use malware or phishing schemes to capture login credentials.”

Mail.ru posted a statement on its site saying it had contacted Holden and is looking at the data.

“The study of the first random sample showed that it does not contain passwords that are suitable for active live accounts,” the statement said.

“In addition, attention is drawn to the fact that the database contains a large number of the same logins with different passwords, which suggests that it was compiled from fragments of different databases,” the post continued. “We continue to check the database and as soon as we have more information, we will warn users who may have been affected.”

What now?

If it turns out that your username and password are among the 85% from previous breaches and thefts, Holden hopes you were warned and have changed your password already.

However, he said some people do not, even after they have received an alert.

If yours turn out to be one of the 15% of new records, his recommendation is also to change your password.

Either way, and even if you’re not a victim, it is a good idea to enable two-step identification and use different credentials for different accounts, according to Holden.

Otherwise, hackers can get into your many accounts by simply trying your password on each one. 

The key to my car and the key to my house are two different keys,” he explained. “But we tend to use same password. People need to change their passwords regularly. That way, if something is stolen, it loses its potency.”