A number of major webmail services have suffered one of the largest security breaches in recent years. The account details of Gmail, Yahoo Mail, Hotmail, and Mail.ru are just four of the services affected.
Security firm Hold Security says that it has been contacted by a hacker in possession of 272 million unique pairs of email addresses and unencrypted passwords. This is far from an insignificant number, and the situation is made all the worse as the data is being freely shared for just about anyone to access.
Hold Security says that it was initially contacted by the hacker who was seeking a nominal fee for access to gigabytes of data. Unwilling to contribute to the hacker financially, the security firm negotiated and obtained the data for free. This initially appeared disappointing as it comprised data collected from previous security breaches. But with a little probing, things became more interesting:
There is obviously potential for this data to be misused. Talking to the BBC, Alex Holden from Hold Security said: "There are hacker sites that advertise 'brute forcing' popular services and store fronts by taking a large amount of credentials and running them one-by-one against the site. What makes this discovery more significant is the hacker's willingness to share these credentials virtually for free, increasing the number of… malicious people who might have this information."
But while the numbers seem high - 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts and 24 million Gmail accounts -- Mail.ru says that not all of the data is valid. Microsoft, Google and Yahoo are all currently investigating the data and talking with Hold Security.
Paul Farrington, senior solution architect at Veracode commented: “With increasing threats to both individuals and organisations, it has never been more critical to take a secure and direct approach to protecting passwords, through two-factor authentication security, and frequent scans of web applications.
"With cyber-attackers typically targeting the theft of money, intellectual property and / or our personal identities, this breach only serves as a further reminder of the upmost importance for businesses to ensure that sensitive data is safeguarded against cyber-criminals.”