Multiple major outlets reported a potential breach of security involving 273 million internet users' passwords and login credentials; a single e-mail provider claimed that so far, "no live" accounts were included in their verification attempts.
Whether the claims were credible.
On 4 May 2016, several major outlets reported that an estimated 273 million passwords and login credentials were stolen by one or more Russian hackers. One of the most prominent versions of the claim was published by Komando, the web site of tech radio show host Kim Komando, which reported that the password theft is one of the largest security breaches in recent history:
This breach is happening right now and affects almost every single person with an email account, whether you have Gmail, Microsoft Outlook (or Hotmail), Yahoo Mail or many others.
Cybersecurity experts estimate that The Collector has up to 1.7 billion email account passwords in his or her possession.
As it turns out, the Collector is trying to sell the personal details relating to an estimated 273 million email accounts. These include the email address and password for some 40 million Yahoo Mail, 33 million Hotmail/Outlook accounts, 24 million Gmail accounts, and tens of millions more.
Strangely, The Collector is asking for only $1 for the whole stash, but he or she is also asking for positive reviews to be posted on hacker forums. The low dollar amount may seem odd, but there's potentially bigger money in related attacks like phishing scams. Sometimes, these type of breaches are done for the notoriety, too.
As with other reports published by Reuters, The Independent, and Daily Mail, Komando peppered the article with descriptors such as "allegedly," "estimate," "potentially," and a detail that the purported massive cache of data was offered for sale at just $1. Komando also offered few details about the breach, such as when or how such a large number of accounts came to be compromised.
Reuters was equally vague in its report, noting that the claims primarily came from a self-identified hacker not seeking monetary compensation. Many media outlets spoke with Alex Holden, of Wisconsin-based Hold Security; Holden was referenced in the site's headline:
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden, the former chief security officer at U.S. brokerage R.W. Baird. "These credentials can be abused multiple times," he said.
Mysteriously, the hacker asked just 50 roubles – less than $1 – for the entire trove, but gave up the dataset after Hold researchers agreed to post favourable comments about him in hacker forums, Holden said. He said his company’s policy is to refuse to pay for stolen data.
Reuters included a response from Mail.ru, the entity whose user base was purportedly most affected by the attack. That information suggested that the claim had not yet been verified:
"As soon as we have enough information we will warn the users who might have been affected," Mail.ru said in the email, adding that Mail.ru's initial checks found no live combinations of user names and passwords which match existing emails.
The Guardian reiterated that there wasn't much available information:
In this case, the hacker had been bragging on internet chat forums that he had a trove of login credentials that he was trying to sell. Holden, who is fluent in Russian, said he wouldn’t pay for the data but would give him “likes” on various social media posts in exchange.
The hacker, who apparently is quite young, agreed. “We kind of call him the collector,” Holden says in a heavy Russian accent. “Eventually, almost everyone gets breached.”
No information has yet emerged to confirm whether the claim was credible or how many (if any) accounts were compromised, and none of the reporting indicated whether any investigation had confirmed what details of the story, if any, were authentic. All versions of the claim that we found lacked any details as to when or how breaches of that size occurred. Finally, we were unable to locate any anecdotal reports of security issues related to the claim (such as social media users reporting that their accounts had been accessed or modified without their consent).