Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld

Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"

Russians

[110010001000]

Kennedy should have gotten rid of them when he had the chance! They are reading our Hotmail!

Re:Russians

So was Kennedy, and a fair portion of your current government.

Re:Russians

Too bad they weren't reading lee.harvey.oswald@yahoo.cu. I heard he frequented a chatroom called TheGrassyKnoll on a server controlled by the Mafia.

Re:Russians

[Killall+-9+Bash]

They weren't even reading their Telex's, otherwise they would have read the one Oswald sent the morning of the JFK assassination warning of a military coup.

Re: Russians

Annnnndd child porn just "found" on your account.
Do not pass GO, do not collect $200, but do go to jail for being stupid.

Where is everyone ?

The page... she is empty ?

GNAA...

No surprise here

[MrKrillls]

It would be real news were there be no stolen data in the hands of russian hackers.

Re:No surprise here

[hcs_$reboot]

"No surprise", maybe. But, at least, using Gmail you get a notice whenever there is an usual activity of your account.

Run your own email server

[jfdavis668]

Follow Hillary Clinton's example, and just run your own server.

Re:Run your own email server

And she was following the RNC's example when they ran the email servers for the Bush White House for eight years out of Chattanooga, Tennessee.

Re:Run your own email server

All of them should follow Edward Snowden's example and start using end-to-end encryption on all their email.

But seriously, we all know the Clinton's and the RNC ran their own servers to ensure that reliable backups were simply not available when subpoenaed.

But seriously seriously, end-to-end encryption on all your email, regardless of the servers involved.

Re:Run your own email server

If we followed Hillary Clinton's example, we'd sell our enemies other precious resources for personal gain besides just the uranium. That traitor can go to hell.

Re:Run your own email server

Yeah and look how well that went over. The hacker group Snowden leaked all her emails.

Re:Run your own email server

[smooth+wombat]

If we followed George Bush's example we'd ignore 8 months of daily warnings of an impending attack and let 3,000 people die in the span of a few hours, then turn around and claim there was on way to prevent the attack.

Afterwards, you'd make up some excuse, including making up false documents, to invade and occupy a foreign country which had nothing to do with anything while at the same time letting the person who planned the worst terrorist attack in U.S. history escape because you ignored every request from troops on the ground for more troops to block the person's escape. This would cost over $2 trillion and the lives of thousands of soldiers, but eh, who cares.

You'd also let your Vice President out an undercover CIA agent and not have them thrown in jail.

Re:Run your own email server

[DaveMikulec]

Touché

Re: Run your own email server

But why ?
A) any encryption can be broken by blunt force if enough resources are devoted to it,nsa/gchq etc can probably subvert half of the entire planets cpu cycles if they need to.
B) unless you can write encryption yourself,then you only have the writers and others word that it works and that it doesn't contain backdoors.
C) what is do vital in your life that encryption is worth the extra resources it would to take if everyone decides to run end to end encryption on everything..
D) who do you trust ? Hackers in the rest of the world,the USA government or nobody...

Re:Run your own email server

[KGIII]

I skipped the middle-man. I moved my email to being hosted by Yandex. Yes, yes that company. However, it might actually be safe from the NSA - specifically. I'm pretty sure Putin's reading it daily and I guess that's okay. Ah well... At least I keep mail separate from my domain - 'cause the domain is down as they dorked the move but I shan't burden you with my tale of woe. I do, on the other hand, want to vent. I'll spare you that too. ;-)

Re:Run your own email server

[jfdavis668]

You're right! We should have invaded Afghanistan after the first World Trade Center attack in 1993.

Re: Run your own email server

A) is false. Fucking read up on brute forcing strong encryption. You start running into comparisons with number of stars in galaxy, etc.

Re:Run your own email server

[skegg]

Hmm ... not sure if you're being sarcastic. (?)
If not, then I consider myself in esteemed company. I moved my email so it's now hosted by Mail.ru. (Domain held separately.)

I did a little Googling* and saw that Putin has been critical of Yandex but not Mail.ru. (Quite harshly, in fact.)
And historically, he's not on the best of terms with the individuals leading Yandex, but seems amicable with those of Mail.ru.
Also, Mail.ru's email is scanned by Kaspersky, which I find is often singled-out / ridiculed by mainstream western media. That just makes me trust them more.

I moved for what I presume are the same reasons as yourself:
my email may be read daily** by a government department, but at least I know it won't be knowingly / willingly shared with my own government.
My private life is none of their business. Indeed, THEY need to better expose themselves to the voting public.

Oh, and vent, my friend. Vent!

* Don't know if this is sinister, but while Googling for instructions on how to host my email with Mail.ru, Yandex appeared at the top of the search results. Yandex also appears for other queries specifically targeted at Mail.ru.
** I pity the person who reads my email. It's really quite mundane. Nevertheless, it's mine.

Re:Run your own email server

[KGIII]

I have much, much to respond. I sat here for a few minutes and decided that brevity, for a chance, would be my chosen route.

I am not even remotely kidding. Not only do have have my site's email configured to use Yandex, I have a standing offer to allow site visitor/participants to ask for and receive a Yandex email of their own. At some point, I'll document how it is done and let people do it themselves - it's not terribly difficult.

It does help to read Russian but I think, I'm not positive, that you might be able to find a path through without needed Russian. It hits a point where you must pass a CAPTCHA to get the service. It's in Cyrillic letters. It's possible to pass it. It's just a pain.

Why don't we put an end to this?

Why not sever the cables that connect Russia to the Internet until they crack down on the rampant crime online coming from their country? Can anyone give me a good reason why this shouldn't be done?

I suspect I'll get downmodded to -1 so people can avoid the question and pretend like it's not here. Can anyone actually answer the question rather than evading it through moderation? I don't think Slashdot is capable of giving a good answer.

Re:Why don't we put an end to this?

Why stop with Russia? China, Nigeria, Ukraine, South Korea, and others, including the USA and UK, harbor hacker gangs. Disconnect them all!

Re:Why don't we put an end to this?

"The Net interprets censorship as damage and routes around it." -- John Gilmore

The good reason why it isn't done is that there is no such cable that you can sever to disconnect Russia.

Re:Why don't we put an end to this?

Because in Soviet Russia, cable disconnects you!

Re:Why don't we put an end to this?

ftw!

Another reason for 2FA

[cmiller173]

Glad I finally turned on 2-factor authentication for gmail, using a usb token.

Re:Another reason for 2FA

[RubberDogBone]

2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

Re:Another reason for 2FA

[rsborg]

2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

Luckily Paypal isn't trusted with something so important as your online identity - just your funds.

Re: Another reason for 2FA

Jesus, do your kids have to continue your 2FA or perhaps maybe you might want to disable at some point? Perhaps if your phone service is down, etc.

Re:Another reason for 2FA

The hackers are just using the 3rd factor... the human one. Don't worry all those outsourced jobs will soon be replaced by robots eliminating this element. /sarcasm

Re:Another reason for 2FA

[kriston]

At least Amazon requires a notarized letter to turn off 2FA on AWS.

Re:Another reason for 2FA

[Coren22]

As you seem to possibly know a bit about this, do you know if there are any second factor devices that are compatible with gmail that are screen based rather than NFC/USB based?

Will they work with an RSA token instead?

yeah, boss. that's it. that's what happened.

[turkeydance]

it was those Russian hackers.

Cut to the chase

[Nidi62]

You might as well just go ahead and auction off your own account information. If you know you're likely to be hacked anyway and someone's going to make a profit off it then why shouldn't that person be you?

Re:Cut to the chase

[jratcliffe]

According to the article, the hacker sold the userids and pwds (something like 150 million) for about $1.

Re:Cut to the chase

[KGIII]

I'm not even a criminal or anything. I'll give 'em $10 for that. I'm not sure what I'd do with 'em but it'd be an awesome buy. I'm pretty sure it'd not be illegal for me to buy them either. I'm positive it would be illegal for me to *use* them but I don't think it's a crime to buy 'em. Hell, a buck isn't bad at all.

Meh, I'm pretty sure they don't need my email address. My government already gave 'em a bunch of data. Well, they didn't *give* it to them but, if I read everything properly, they didn't try really hard to stop 'em. But, what the hell, I got some free credit monitoring service because that's really what I'm concerned about. I already have them set the flags to "do not issue credit" on the three major reporting agencies. In fact, financial impact is the least of my concerns.

Re: Cut to the chase

Competitive industry? I've heard of razor thin profit margins...

...and the sky is blue

[campuscodi]

Thank God for Reuters.... otherwise we would have never found out. Ever since Reuters started a "security" news section this past winter, they're pointing out the most obvious things lately. Tomorrow's story is "malware infects Windows computer"

Re:...and the sky is blue

[JustAnotherOldGuy]

Tomorrow's story is "malware infects Windows computer"

WHAT YOU SAY???

Re:...and the sky is blue

[KGIII]

Dude, no kidding. It could happen! ;-)

Err... Ignore me - I'm venting.

Two-Step Authentication

[Kevoco]

It's easy and it works!
Google (Gmail)
Yahoo
Microsoft (Hotmail)

Re:Two-Step Authentication

Yeah, it works great when one of those steps is to send a message to an e-mail address that no longer works (why they did that, I don't know). Even though I know my password, I have no way to get into my Yahoo account anymore. And yes, I tried their help system. It didn't. I guess I won't have to worry about Russian hackers getting in.

Re:Two-Step Authentication

Two-Step means handing your phone number over to marketers. No I am not going to do that. I refused to give it to Radio Shack, I refuse to give it to Lowe's, and I'm not going to give it to Google.

Send aid

Obviously there is high demand for foreign email accounts because of the sanctions on Russia and the resulting account shortage. Donate your password to the needy.

Solution: MORE IOT!

Drown the commie bastards in exapetabytes of bits.

it wuz haxx0rz

haxxy haxx0rz errywear!

Federated authentication

[mi]

Two-Step Authentication

No guarantee. A lot can be obtained from third-party sites, to which people login using their existing accounts. It is not only Slashdot, which allows you to login with your Yahoo! or Facebook credentials...

When you use this method on a web-site, you get a notice, that you authorize the site to "access your contacts" and some other information. This is easy for the sites to set up and they like it because they want to encourage people to comment — it increases "pageviews". The site itself may not be abusing this access (some operators may not even realize, they have it).

Unfortunately, not all sites are good at guarding it — this is how your entire Yahoo! addressbook, for example, may end up in the criminals' possession without them ever actually accessing your mailbox. Having such addressbooks, spammers can (and do!) generate customized spam in which you appear to be the sender for each of your contacts and which opens with the salutation you used to identify the contact. Such spams, obviously, have a far higher chances of being read by the victims — and the links in them are much more likely to be clicked.

Re:Federated authentication

[cmiller173]

And this is why I don't ever use my google/yahoo/facespace/etc account to log into other websites!

Re:Federated authentication

[virtualestates]

Me neither. Oh, wait...

Mail.ru

[JustAnotherOldGuy]

A friend that runs a small anti-spam company says that he's "never seen a legit email" from Mail.ru, period.

I'm sure they exists, but when they're only 0.000000000000000000000001 of the volume, it's probably hard to detect.

Re:Mail.ru

[Motherfucking+Shit]

For whatever it's worth, someone on the Mail.ru security team is credited with discovering recent critical ImageMagick vulnerabilities (and now I'm wondering if that's how they were compromised). So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.

Re:Mail.ru

[JustAnotherOldGuy]

So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.

That's like saying "the tsunami that washed your burning house out to sea put out the fire, so lets have a round of applause for the tsunami."

Or...to use a car analogy: the car accident turned you into a quadriplegic, but the upside is that you won't ever need to go shopping for clothes again!

Re:Mail.ru

Eh, if your friend's company and clients are in the Western world, it's pretty likely that they will never receive legit email from $FARAWAY_COUNTRY (especially if we're talking about free webmail providers).

Now, if one of the clients was doing business in Russia, I bet the numbers would be different.

Ashley Madison

There all from the Ashley Madison database!

Captain Obvious

[JustAnotherOldGuy]

"Exclusive: Big data breaches found at major email services - expert"

Wow, no shit?? Bloomberg is really on the cutting edge of newsy stuff, like fer sure. Oooh, and their big discovery is "Exclusive" too.

You could run this headline every day and it would be true. Has Bloomberg just discovered email and hackers and stuff?

By U.S. Dept. of Fear?

[fbobraga]

https://twitter.com/FearDept

There is a Russian underworld?

[Feral+Nerd]

There is a Russian underworld? I thought the Russian underworld successfully merged with the Russian government during the Yeltsin era and is now literally blossoming under Putin.

Re:There is a Russian underworld?

[JustAnotherOldGuy]

There is a Russian underworld? I thought the Russian underworld successfully merged with the Russian government during the Yeltsin era and is now literally blossoming under Putin.

You are correct. Check out the "Russian Business Network", or RBN. They're definitely part of the day-to-day operations of the Russian economy and are meshed intimately with the government at nearly every level. They make the Mafia look like rank amateurs.

This is probably a scam

This story has surfaced several times before - each time the password number seems to grow larger and larger. Alex Holden appears to be using it to promote his business.

Here's a couple of skeptical opinions on it.
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
https://community.spiceworks.com/topic/557606-scam-of-the-week-for-sale-cybervor-false-sense-of-security

Long story short, Alex Holden is charging people $120 to find out if their account is impacted. The collection of stolen accounts probably doesn't exist.

This is simple...

1. Don't log into websites with a Google, Microsoft, or Facebook account. This is patently stupid and only those who don't understand security will do this and claim "it's easy", or "it's convenient". You get what you have coming if you go this route.

2. Firewall email and other accounts. IOW, have an account for important personal things. Have an account for trivial things. Have a throwaway account for quick signup that are not important. With Facebook and other privacy-nightmare sites, use an email account that is used for nothing else. Don't populate the account with addresses. It's the account used to maintain the service.

3. Use 2FA where possible. Don't use the same passwords across accounts. This is a no-brainer, but people do it for convenience. Don't. It's stupid. Have a separate password for each service. It's really not difficult to remember passwords.

What kind of a moron...

....pays for something that is free?!?

Passwords?

[wwalker]

If the database includes both usernames and passwords, it is practically guaranteed that it was stolen from the user's computer by keylogging viruses, etc.. No large email provider would be stupid enough to store actual passwords on their side.

Re:Passwords?

[Zontar+The+Mindless]

No large email provider would be stupid enough to store actual passwords on their side.

I, too, want to believe.

Re:YOU FAIL IT

[sims+2]

Its probably safe to block all posts containing "goat.cx" at this point since the domain is parked.

Dumpster diving

[Max_W]

I heard that dumpster diving is the main source of private information nowadays: https://en.wikipedia.org/wiki/...

People do not shred papers or shred with outdated machines. This is how passwords, account numbers, photos, handwriting samples, etc. gets into the underworld.

All this systematically collected and added to large databases. Modern hard disks allow to keep data on the whole population, especially of the first world. Obviously it is an international underworld.

By two-factor, they mean GIVE US YOUR PRIVATE #

[markdavis]

>"Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?" "

Because not all of us want to give stupid corporations our freaking cell phone number or whatnot. Talk about a MAJOR invasion of privacy. There are things that CAN be done, but forcing an invasive "solution" on people will find at least some of their user base leaving their service.

Some of us really are VERY careful about passwords, not using malware-infected systems, etc. And forcing us to hand over even more private info to companies that ABSOLUTELY WILL spam us with it is a deal-ender.

Re:By two-factor, they mean GIVE US YOUR PRIVATE #

Mod this guy up.

I don't want Microsoft (hotmail) or facebook or Google (gmail) or whoever owns Yahoo now (or in the future) to have my mobile #.

Nor should I need to hand over my cell phone # just to use some web app.

Of course they all want it so that they can build their nice little social graphs, link it up with WhatsApp, viber, etc.

Re:By two-factor, they mean GIVE US YOUR PRIVATE #

[Retired+Spy]

Many people have a very good reasons for not wanting their email linked to a phone number. In places like Syria you could monitor email connections (even if you can't read the content) then use the phone SMS for localization for real time targeting information. This would be a good way to shut down/kill unauthorized and unaware journalists and careless just-in-country NGO personnel, not to mention rebels. You can use a VPN to hide your email connection but then Google goes and phones you back. Then it's fire mission, fire for effect... Not the way I would want to end my day... Perhaps a little dramatic, but the same thing can easily be done to deanonymize anyone...

Re:By two-factor, they mean GIVE US YOUR PRIVATE #

[Gussington]

Many people...

The scenario you just gave would be lucky to be relevant to even one person. Monitoring the email address of a target so you can track their cell phone so you can then airstrike them? How many Slashdot readers face this as real threat?
i think "many" is a little bit of any overstatement.