Dive Brief:
-
A security expert told Reuters Wednesday that he found 272.3 million stolen account user names and passwords for email and other websites was available for purchase in Russia.
-
Alex Holden, founder and CISO of Hold Security, told Reuters it is one of the largest caches of stolen credentials ever uncovered.
-
The hacker was practically giving away the information. They initially asked for just 50 rubles—less than $1—for the data. Later, they agreed to give the information to Hold for free as long as they said "favorable comments" about him in hacker forums, according to Reuters.
Dive Insight:
The stolen cache included almost 57 million Mail.ru account and "tens of millions" of credentials for Google, Yahoo and Microsoft email users. Holden said thousands of the stolen credentials appear to belong to "employees of some of the largest U.S. banking, manufacturing and retail companies," according to Reuters.
Holden has previously uncovered other large data breaches, including a cache of 1.2 billion unique credentials in 2014—the world's biggest-ever recovery of stolen accounts.
Hold Security became aware of the data when researchers connected with a young Russian hacker bragging about the cache in an online forum.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden to Reuters. "These credentials can be abused multiple times.”
Because people commonly reuse the same passwords and usernames on a variety of sites, breaches of such credentials can domino into additional break-ins or phishing attacks. And with the wide-array of available account information, many organizations could be at risk. A recent survey by the Cloud Security Alliance found that stolen online account credentials cause 22% of big data breaches.
