Huge email leak involving major services.

Published on May 4, 2016 By DrJBHL In Personal Computing

Gmail, Yahoo, Hotmail and Mail.ru and perhaps more, have leaked usernames, email addresses and unencrypted passwords.

The security firm that discovered the breach, Hold Security, believes that many of the accounts involved in this leak have not been previously leaked. According to its analysis there are over 272 million unique email and unencrypted password pairs, where 42.5 million have not been previously leaked.

Hold Security was able to get a hold of the data for free. The hacker originally asked for 50 roubles (equating to around 75 cents or 52 pence) for the entire list. Instead, an agreement was reached to provide the data for free if the firm was to post positive comments about the hacker in a forum.

A breakdown of the major services affected showed the scale of the leak:

57 million accounts for Mail.ru

40 million for Yahoo Mail

33 million for Hotmail

24 million for Gmail

The concern of this leak does not lay solely with people being able to gain access to one's email account, but also that these details could be used to send bulk phishing emails.” (emphasis mine) – Neowin

I’d get busy changing passwords, and be extremely careful about emails with attachments, even from people you know.

Send a return email asking whether they sent you an email with an attachment.

Source:

http://www.neowin.net/news/millions-of-accounts-for-webmail-providers-leaked-gmail-yahoo-mail-hotmail-and-more

Comments (Page 2)

Maiden666

on May 06, 2016

starkers

reply 7

Yeah, I know, but it's not just the lazy bastards who'd rather steal than earn a crust, it's also those who hack primarily to cause harm, pain and frustration. The cash 'reward' at the end actually disinterests them. No, their 'reward' is derived more from the damage done, and those are the worst kind of hacker. Not that I condone it, but stealing does have a point, in that there is an actual gain, but the senseless hacking that causes nothing but harm is beyond understanding. No person in their right mind would do it, so one can only conclude that those who do it are bitter and twisted individuals with sick minds.... if you could call what's between their ears a mind.

Now I'm not normally an advocate of violence, but the world has become far too soft in criminals and something needs to be done, and I'm sick to the back teeth with true crime being inadequately dealt with while petty misdemeanors are more harshly punished.

The internet lacks natural borders. Most of the "senseless" destruction their is most likely caused by people working under a political agenda. Alot of this comes from Asia & targets the West. These people, possessing good & expensive electronic devices and the related education to make good use of it, are far from being a typical looser-type of criminal who has to steal/rob/whatever in order to support himself.

anotherside

on May 07, 2016

Thanks for posting, Doc.

I did change my passwords, now let's see if I'll remember the new ones.

I have a small book with passwords. It's not the optimal solution. Never got around setting up a password manager. I never knew if I could trust password managers. What if they get hacked? Then ALL your passwords are up for grabs. No, I rather lose one password at a time...

Maybe someone can convince me that password managers are good. Or not. Do you folks use them?

Thanks to the link in the post I found this site, that lets you check if you have been compromised.

https://haveibeenpwned.com/

The site seems legit, created by this guy:

https://www.troyhunt.com/

I checked my email-addresses. One had been compromised in the famous Linux Mint hack of this year. But my password was random and has now been changed so no biggie.

Anyway, this site by Troy Hunt is really useful I think. You don't have to wonder if you been "pwned". Just look it up.

DrJBHL

on May 07, 2016

anotherside

reply 17

Maybe someone can convince me that password managers are good. Or not.

anotherside: Lastpass has been hacked.

Keypass, if hacked has not been published as having been hacked.

anotherside

reply 17

Thanks to the link in the post I found this site, that lets you check if you have been compromised.

Be careful about "helpful" sites...they might be the opposite.

kryo

on May 07, 2016

http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wasnt-google-says-data-is-98-bogus/

moshi

on May 08, 2016

it's Hold Security again. so no surprise here. it's a pity that the "Russian gang steals 1.2 billion user names and passwords" thread from 2014 by DrJBHL has been deleted.

DrJBHL

on May 08, 2016

Just to clarify something: We live in a time when data is stolen. People, among them WC members, use these services. My job is to report this. If I had waited to report this to members, they would have been in jeopardy. Was it unreasonable to think that hackers stole this data? I do not believe so. This is a case of 20/20 hindsight.

Is changing user name/password an unreasonable thing? Does it involve a massive inconvenience? I do not think so. As with many things, there is a risk/benefit ratio. Does the risk incurred by not changing a password (which should be done routinely, anyway) justify not doing so? Clearly not.

We should believe Google. Because Google.

starkers

on May 08, 2016

DrJBHL

reply 21

We should believe Google. Because Google.

Is the biggest data hog of all time... retaining even 'useless' data just in case it may one day be useful.

If you sneeze, Google wants to know about it.

If you cough, Google wants to know about it

If you fart, Google sees it as ammunition to embarrass you somewhere farther down the track.

If you die.... Google already knows what you left it in your Will.

Daiwa

on May 08, 2016

Good on ya, Doc.

Rather have the occasional 'false' alarm than a real fire & not know it. I was due to change my master pword, anyway.

DrJBHL

on May 08, 2016

Thanx, Daiwa.

ElanaAhova

on May 09, 2016

Daiwa

reply 23

Good on ya, Doc.

Rather have the occasional 'false' alarm than a real fire & not know it. I was due to change my master pword, anyway.

agree. better safe than sorry

Kazzerigian

on May 09, 2016

grrrrrrrrrrrr...

Cameochi

on May 09, 2016

Security has always been a concern which is why I no longer use any internet mail as a primary account. I do have a Gmail address which is required for my Android phone but it is disabled as it was getting over 100 spam messages a day even though the account is never used.

starkers

on May 09, 2016

Damned spam.... I was getting a similar amount a while back... 99% of it from Facebook, despite having been there only once. I just ceased using that account when blocking Facebook was a futile exercise.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!