272 Million Stolen Credentials For Sale? Don't PanicNo One Knows If Leaked Account Credentials Even Work
(Note: An update on this report is now available.)
Don't fear the leaked logins.
That's the message from numerous security experts in the wake of reports that Milwaukee-based Hold Security obtained 1.17 billion stolen credentials - of which 272 million are unique - for free from an unidentified "kid from a small town in Russia."
Hold Security CISO Alex Holden tells Reuters that the leaked credentials are for tens of millions of email addresses tied to the world's biggest email service providers. All told, he claims, the login information includes credentials for 40 million Yahoo, 33 million Hotmail and 24 million Gmail email accounts; hundreds of thousands of accounts for email service providers in China and Germany; and 57 million accounts tied to Russia's Mail.ru, which says it sees 64 million active email users per month.
In a blog post, Hold Security says that the collected information was amassed by a young Russian hacker over an unspecified period of time, and that he originally attempted to sell it for just 50 rubles ($0.75), before giving it away to Hold Security in exchange for some "likes" on his social media accounts.
"We do not pay hackers for stolen data," Hold Security says. Holden also tells Reuters that the company alerts and shares recovered data with relevant organizations, and that it charges little or nothing for doing so.
Google didn't respond to a request for comment about the Hold Security data and whether it appeared to be accurate or still active, while Microsoft and Yahoo say they're investigating.
But Mail.ru tells me that it's obtained a sample of data that contains Mail.ru email accounts from Alex Holden. "Early analysis shows that many username/password combinations contain the same username paired with different passwords. It means that the [data set] is compiled from different sources, where people used email addresses as their usernames" a Mail.ru spokeswoman says.
The firm says it will warn any users if it finds their active login credentials in the data set, although so far, it has found none. "We are now checking whether any username/password combinations match valid login information for our email service, and as soon as we have enough information we will warn the users that might have been affected," the spokeswoman says. "The first check of a sample of data showed that it does not contain any combinations valid for [accessing Mail.ru] email [accounts]."
Account Credential Warning Redux
If the warning over a massive quantity of credentials being offered for sale online by a Russian sounds familiar, that's because it recalls a 2014 warning from Holden about "what could be arguably the largest data breach known to date," by a group he dubbed CyberVor ("vor" is Russian for thief). Holden claimed the group amassed 1.2 billion unique credentials tied to more than 500 million email addresses, in part, by exploiting known flaws to hack into websites. But it was less a breach and more a semi-curated list of potentially active access credentials for various sites (see CyberVor Update: Hold Security Responds).
The warning by Hold Security led the FBI to investigate, as well as to question Holden about how exactly he'd found the information. The FBI said Holden declined to answer that question, citing confidentiality agreements (see FBI Probes 1.2B Stolen Credentials). Hold Security also caught flak from security experts for appearing to use the breach to advertise a $120 per year service designed to alert organizations when the security firm found their customers' account details in data dumps or for sale on cybercrime forums.
Fast-forward to April 2016, and a hacker reportedly offering to part with stolen credentials for less than $1, which suggests that the proffered data quality is poor, at best. And Hold Security's pattern of trumpeting large sets of allegedly stolen or leaked user credentials also has many security experts questioning the usefulness of its reports.
"Based on similar reports by Hold Security in the past, we suggest that the method and tone of this disclosure is intended to generate media attention and marketing rather than highlight an actual increased threat," threat-intelligence firm iSight Partners says in a research note.
Massive Leaked-Data Sets? Not Unprecedented
To be clear, we are talking about a substantial amount of account data, although such a collection would not be unprecedented, iSight Partners notes. But it's not clear how the credentials were amassed, if they still work or if they were ever legitimate. "There is no evidence that these credentials are associated with active user accounts, and could easily include data obtained from publicly leaked breaches, accounts created through automated means by malicious actors, data from credential theft botnets and numerous other sources," iSight Partners says.
With all that in mind, security expert Troy Hunt, who runs the free "Have I Been Pwned?" service to alert email accountholders when their details show up in data dumps, advises everyone to "chill a bit" over what he characterizes as a "very inconclusive incident."
Everyone need to chill a bit over this incident, there's very little info on where they came from or if even legit https://t.co/FWRAhFlSqi— Troy Hunt (@troyhunt) May 5, 2016
For now, take these and any other reports about email account credential leaks with a grain of salt. Also don't rush to change Gmail, Hotmail, Mail.ru or Yahoo email address passwords unless advised to do so by those firms.
On the other hand, now is a great time to ensure that you're not reusing passwords (see Why Are We So Stupid About Passwords?). Also activate multifactor authentication for any service that offers it. That way, even if your valid email account credentials do get stolen, you'll still be protected.
Mail.ru, for example, says it's made numerous, related upgrades and changes. "Last year we launched a two-factor authentication, which we strongly recommend all our users to set up as it is one of the most effective ways to protect an email account," its spokeswoman tells me. "Also, we no longer offer new users a security question as a password recovery method."