Hacker selling over 272 million webmail passwords for $1? Don’t panic

This may very well be a non-story.

Two sides of the moon

In the last day or so a number of media outlets have published some pretty scary-looking stories about a Russian hacker who is apparently trying to sell 272 million login credentials for some of the world’s biggest webmail providers… for less than $1.

The news came in the form of a press release from an outfit called Hold Security.

Here is just a handful of the reports:

Sign up to our free newsletter.
Security news, advice, and tips.

First, some facts.

1. We don’t know how many (if any) of the usernames and passwords in the database are genuine. Some might have been made up. Others might have been changed long ago.

2. There is nothing to suggest that there has been any attack against the likes of Gmail, Yahoo and Hotmail. If any of the stolen credentials are genuine, they may well have been gathered through phishing attacks or through home users having their computers infected by malware.

3. We only have Hold Security’s word for all of this.

What we do know is that there are “butterfly collectors” out there, who are interested in collecting large databases of usernames and passwords, but are somewhat more besotted with the size of their collection than its quality. They are not going to invest time in weeding out worthless entries.

In other words, the “hackers” don’t necessarily care if the credentials they are collecting work or not. After all, if you want to make a quick buck (or 50 rubles) then may be other collectors who will be similarly more impressed by the size of the database being offered than whether contains new or indeed working passwords.

Even Hold Security in its press release acknowledges that over 99% of the credentials it has scooped up from underground forums have been seen before, suggesting to me that they may have gone “stale” (if they were ever even “ripe”) long ago.

A spokeswoman for Mail.ru, one of the webmail providers mentioned by Hold Security, told BBC News that there did not appear to be any reason to panic just yet:

“A large number of usernames are repeated with different passwords. We are now checking whether any combinations of username/password match [active accounts] – and as soon as we have enough information we will warn the users who might have been affected. The first check of a sample of data showed that it does not consist of any real live combinations of usernames and passwords.”

What’s interesting about this is that we’ve been here before.

In 2014, Hold Security announced that it had stumbled across a database of over one billion stolen usernames and passwords, and received a shed-load of press coverage as a result.

Having sent many people into a blind panic, Hold Security pointed people towards its $120 per year breach notification service or a web form where users were invited to enter their email addresses and passwords to see if they were included in the haul.

As I recall, no-one independent ever confirmed the details of the 2014 breach either.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “Hacker selling over 272 million webmail passwords for $1? Don’t panic”

  1. Peter Vogel

    Was wondering about this too yesterday. Particularly interesting was the claim by the Hold representative that the hacker didn't really want payment for the trove, just some nice mentions in a particular forum.

  2. Karl

    At first read I thought, perhaps I am due a password change. After my Lastpass password security audit I found my common webmail passwords are around 10 months old (I try and change passwords yearly). Then I thought, actually I am safe because I do not type my passwords in random places or enter competitions to win iPads. An additional security measure, I use 2FA where available and every single website has a unique password. Either way, I am due a password change in the coming months.

  3. Dave B.

    Curiously enough, I got an email from my sister this morning saying she was getting a number of undeliverable returns in her comcast inbox, all with a mail.ru address, coincidence?

  4. Sean

    Its valuable data, can be used for Hadoop analysis. Wish I could get it without passwords mentioned

  5. DataBit CyberServices SA (INC)

    Hold Security is well-known for fake post about security breaches. (They become fame and can sell therefore more own products)
    – So, I also do not believe any word about this breach.

    Biggest breach in the Internet history, they said…
    …Sure, and Hold Security is again the only pc security company that discovered this. ;)

  6. Geetu

    Mainstream just sees the big names Gmail, Yahoo and propagates without even verifying or understanding the item. It is thanks to Graham Cluley's blog that we get to know what it really is.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.