Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld (reuters.com)

Posted by msmash on from the big-data-breach dept.

Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"

46 of 73 comments (clear)

  1. Russians by 110010001000 · · Score: 4, Funny

    Kennedy should have gotten rid of them when he had the chance! They are reading our Hotmail!

    1. Re:Russians by Killall+-9+Bash · · Score: 1

      They weren't even reading their Telex's, otherwise they would have read the one Oswald sent the morning of the JFK assassination warning of a military coup.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  2. No surprise here by MrKrillls · · Score: 2

    It would be real news were there be no stolen data in the hands of russian hackers.

    --
    Don't step on the baby.
    1. Re:No surprise here by hcs_$reboot · · Score: 1

      "No surprise", maybe. But, at least, using Gmail you get a notice whenever there is an usual activity of your account.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  3. Run your own email server by jfdavis668 · · Score: 4, Funny

    Follow Hillary Clinton's example, and just run your own server.

    1. Re:Run your own email server by Anonymous Coward · · Score: 1

      If we followed Hillary Clinton's example, we'd sell our enemies other precious resources for personal gain besides just the uranium. That traitor can go to hell.

    2. Re:Run your own email server by smooth+wombat · · Score: 2

      If we followed George Bush's example we'd ignore 8 months of daily warnings of an impending attack and let 3,000 people die in the span of a few hours, then turn around and claim there was on way to prevent the attack.

      Afterwards, you'd make up some excuse, including making up false documents, to invade and occupy a foreign country which had nothing to do with anything while at the same time letting the person who planned the worst terrorist attack in U.S. history escape because you ignored every request from troops on the ground for more troops to block the person's escape. This would cost over $2 trillion and the lives of thousands of soldiers, but eh, who cares.

      You'd also let your Vice President out an undercover CIA agent and not have them thrown in jail.

      --
      We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    3. Re:Run your own email server by DaveMikulec · · Score: 1

      Touché

      --
      "Shall we play a game?" -W.O.P.R.
    4. Re:Run your own email server by KGIII · · Score: 1

      I skipped the middle-man. I moved my email to being hosted by Yandex. Yes, yes that company. However, it might actually be safe from the NSA - specifically. I'm pretty sure Putin's reading it daily and I guess that's okay. Ah well... At least I keep mail separate from my domain - 'cause the domain is down as they dorked the move but I shan't burden you with my tale of woe. I do, on the other hand, want to vent. I'll spare you that too. ;-)

      --
      "So long and thanks for all the fish."
    5. Re:Run your own email server by jfdavis668 · · Score: 1

      You're right! We should have invaded Afghanistan after the first World Trade Center attack in 1993.

    6. Re:Run your own email server by skegg · · Score: 1

      Hmm ... not sure if you're being sarcastic. (?)
      If not, then I consider myself in esteemed company. I moved my email so it's now hosted by Mail.ru. (Domain held separately.)

      I did a little Googling* and saw that Putin has been critical of Yandex but not Mail.ru. (Quite harshly, in fact.)
      And historically, he's not on the best of terms with the individuals leading Yandex, but seems amicable with those of Mail.ru.
      Also, Mail.ru's email is scanned by Kaspersky, which I find is often singled-out / ridiculed by mainstream western media. That just makes me trust them more.

      I moved for what I presume are the same reasons as yourself:
      my email may be read daily** by a government department, but at least I know it won't be knowingly / willingly shared with my own government.
      My private life is none of their business. Indeed, THEY need to better expose themselves to the voting public.

      Oh, and vent, my friend. Vent!

      * Don't know if this is sinister, but while Googling for instructions on how to host my email with Mail.ru, Yandex appeared at the top of the search results. Yandex also appears for other queries specifically targeted at Mail.ru.
      ** I pity the person who reads my email. It's really quite mundane. Nevertheless, it's mine.

    7. Re:Run your own email server by KGIII · · Score: 1

      I have much, much to respond. I sat here for a few minutes and decided that brevity, for a chance, would be my chosen route.

      I am not even remotely kidding. Not only do have have my site's email configured to use Yandex, I have a standing offer to allow site visitor/participants to ask for and receive a Yandex email of their own. At some point, I'll document how it is done and let people do it themselves - it's not terribly difficult.

      It does help to read Russian but I think, I'm not positive, that you might be able to find a path through without needed Russian. It hits a point where you must pass a CAPTCHA to get the service. It's in Cyrillic letters. It's possible to pass it. It's just a pain.

      --
      "So long and thanks for all the fish."
  4. Another reason for 2FA by cmiller173 · · Score: 1

    Glad I finally turned on 2-factor authentication for gmail, using a usb token.

    1. Re:Another reason for 2FA by RubberDogBone · · Score: 3, Insightful

      2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

      If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

      --
      Sig for hire.
    2. Re:Another reason for 2FA by rsborg · · Score: 1

      2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

      If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

      Luckily Paypal isn't trusted with something so important as your online identity - just your funds.

      --
      Make sure everyone's vote counts: Verified Voting
    3. Re:Another reason for 2FA by kriston · · Score: 1

      At least Amazon requires a notarized letter to turn off 2FA on AWS.

      --

      Kriston

    4. Re:Another reason for 2FA by Coren22 · · Score: 1

      As you seem to possibly know a bit about this, do you know if there are any second factor devices that are compatible with gmail that are screen based rather than NFC/USB based?

      Will they work with an RSA token instead?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  5. Re:Why don't we put an end to this? by Anonymous Coward · · Score: 1

    Why stop with Russia? China, Nigeria, Ukraine, South Korea, and others, including the USA and UK, harbor hacker gangs. Disconnect them all!

  6. yeah, boss. that's it. that's what happened. by turkeydance · · Score: 2

    it was those Russian hackers.

  7. Re:Why don't we put an end to this? by Anonymous Coward · · Score: 1

    "The Net interprets censorship as damage and routes around it." -- John Gilmore

    The good reason why it isn't done is that there is no such cable that you can sever to disconnect Russia.

  8. Cut to the chase by Nidi62 · · Score: 1

    You might as well just go ahead and auction off your own account information. If you know you're likely to be hacked anyway and someone's going to make a profit off it then why shouldn't that person be you?

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Cut to the chase by jratcliffe · · Score: 1

      According to the article, the hacker sold the userids and pwds (something like 150 million) for about $1.

    2. Re:Cut to the chase by KGIII · · Score: 1

      I'm not even a criminal or anything. I'll give 'em $10 for that. I'm not sure what I'd do with 'em but it'd be an awesome buy. I'm pretty sure it'd not be illegal for me to buy them either. I'm positive it would be illegal for me to *use* them but I don't think it's a crime to buy 'em. Hell, a buck isn't bad at all.

      Meh, I'm pretty sure they don't need my email address. My government already gave 'em a bunch of data. Well, they didn't *give* it to them but, if I read everything properly, they didn't try really hard to stop 'em. But, what the hell, I got some free credit monitoring service because that's really what I'm concerned about. I already have them set the flags to "do not issue credit" on the three major reporting agencies. In fact, financial impact is the least of my concerns.

      --
      "So long and thanks for all the fish."
  9. ...and the sky is blue by campuscodi · · Score: 3, Interesting

    Thank God for Reuters.... otherwise we would have never found out. Ever since Reuters started a "security" news section this past winter, they're pointing out the most obvious things lately. Tomorrow's story is "malware infects Windows computer"

    1. Re:...and the sky is blue by JustAnotherOldGuy · · Score: 2

      Tomorrow's story is "malware infects Windows computer"

      WHAT YOU SAY???

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:...and the sky is blue by KGIII · · Score: 1

      Dude, no kidding. It could happen! ;-)

      Err... Ignore me - I'm venting.

      --
      "So long and thanks for all the fish."
  10. Two-Step Authentication by Kevoco · · Score: 1

    It's easy and it works!
    Google (Gmail)
    Yahoo
    Microsoft (Hotmail)

  11. Federated authentication by mi · · Score: 5, Insightful

    Two-Step Authentication

    No guarantee. A lot can be obtained from third-party sites, to which people login using their existing accounts. It is not only Slashdot, which allows you to login with your Yahoo! or Facebook credentials...

    When you use this method on a web-site, you get a notice, that you authorize the site to "access your contacts" and some other information. This is easy for the sites to set up and they like it because they want to encourage people to comment — it increases "pageviews". The site itself may not be abusing this access (some operators may not even realize, they have it).

    Unfortunately, not all sites are good at guarding it — this is how your entire Yahoo! addressbook, for example, may end up in the criminals' possession without them ever actually accessing your mailbox. Having such addressbooks, spammers can (and do!) generate customized spam in which you appear to be the sender for each of your contacts and which opens with the salutation you used to identify the contact. Such spams, obviously, have a far higher chances of being read by the victims — and the links in them are much more likely to be clicked.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Federated authentication by cmiller173 · · Score: 1

      And this is why I don't ever use my google/yahoo/facespace/etc account to log into other websites!

    2. Re:Federated authentication by virtualestates · · Score: 1

      Me neither. Oh, wait...

  12. Re:Why don't we put an end to this? by Anonymous Coward · · Score: 1

    Because in Soviet Russia, cable disconnects you!

  13. Mail.ru by JustAnotherOldGuy · · Score: 1

    A friend that runs a small anti-spam company says that he's "never seen a legit email" from Mail.ru, period.

    I'm sure they exists, but when they're only 0.000000000000000000000001 of the volume, it's probably hard to detect.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Mail.ru by Motherfucking+Shit · · Score: 1

      For whatever it's worth, someone on the Mail.ru security team is credited with discovering recent critical ImageMagick vulnerabilities (and now I'm wondering if that's how they were compromised). So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.

      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    2. Re:Mail.ru by JustAnotherOldGuy · · Score: 1

      So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.

      That's like saying "the tsunami that washed your burning house out to sea put out the fire, so lets have a round of applause for the tsunami."

      Or...to use a car analogy: the car accident turned you into a quadriplegic, but the upside is that you won't ever need to go shopping for clothes again!

      --
      Just cruising through this digital world at 33 1/3 rpm...
  14. Captain Obvious by JustAnotherOldGuy · · Score: 3, Interesting

    "Exclusive: Big data breaches found at major email services - expert"

    Wow, no shit?? Bloomberg is really on the cutting edge of newsy stuff, like fer sure. Oooh, and their big discovery is "Exclusive" too.

    You could run this headline every day and it would be true. Has Bloomberg just discovered email and hackers and stuff?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  15. By U.S. Dept. of Fear? by fbobraga · · Score: 1

    https://twitter.com/FearDept

  16. This is probably a scam by Anonymous Coward · · Score: 1

    This story has surfaced several times before - each time the password number seems to grow larger and larger. Alex Holden appears to be using it to promote his business.

    Here's a couple of skeptical opinions on it.
    https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
    https://community.spiceworks.com/topic/557606-scam-of-the-week-for-sale-cybervor-false-sense-of-security

    Long story short, Alex Holden is charging people $120 to find out if their account is impacted. The collection of stolen accounts probably doesn't exist.

  17. This is simple... by Anonymous Coward · · Score: 2, Informative

    1. Don't log into websites with a Google, Microsoft, or Facebook account. This is patently stupid and only those who don't understand security will do this and claim "it's easy", or "it's convenient". You get what you have coming if you go this route.

    2. Firewall email and other accounts. IOW, have an account for important personal things. Have an account for trivial things. Have a throwaway account for quick signup that are not important. With Facebook and other privacy-nightmare sites, use an email account that is used for nothing else. Don't populate the account with addresses. It's the account used to maintain the service.

    3. Use 2FA where possible. Don't use the same passwords across accounts. This is a no-brainer, but people do it for convenience. Don't. It's stupid. Have a separate password for each service. It's really not difficult to remember passwords.

  18. Passwords? by wwalker · · Score: 1

    If the database includes both usernames and passwords, it is practically guaranteed that it was stolen from the user's computer by keylogging viruses, etc.. No large email provider would be stupid enough to store actual passwords on their side.

    1. Re:Passwords? by Zontar+The+Mindless · · Score: 1

      No large email provider would be stupid enough to store actual passwords on their side.

      I, too, want to believe.

      --
      Il n'y a pas de Planet B.
  19. Re:YOU FAIL IT by sims+2 · · Score: 1

    Its probably safe to block all posts containing "goat.cx" at this point since the domain is parked.

    --
    Minimum threshold fixed. Thanks!
  20. Dumpster diving by Max_W · · Score: 1

    I heard that dumpster diving is the main source of private information nowadays: https://en.wikipedia.org/wiki/...

    People do not shred papers or shred with outdated machines. This is how passwords, account numbers, photos, handwriting samples, etc. gets into the underworld.

    All this systematically collected and added to large databases. Modern hard disks allow to keep data on the whole population, especially of the first world. Obviously it is an international underworld.

  21. Re:There is a Russian underworld? by JustAnotherOldGuy · · Score: 1

    There is a Russian underworld? I thought the Russian underworld successfully merged with the Russian government during the Yeltsin era and is now literally blossoming under Putin.

    You are correct. Check out the "Russian Business Network", or RBN. They're definitely part of the day-to-day operations of the Russian economy and are meshed intimately with the government at nearly every level. They make the Mafia look like rank amateurs.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  22. By two-factor, they mean GIVE US YOUR PRIVATE # by markdavis · · Score: 2

    >"Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?" "

    Because not all of us want to give stupid corporations our freaking cell phone number or whatnot. Talk about a MAJOR invasion of privacy. There are things that CAN be done, but forcing an invasive "solution" on people will find at least some of their user base leaving their service.

    Some of us really are VERY careful about passwords, not using malware-infected systems, etc. And forcing us to hand over even more private info to companies that ABSOLUTELY WILL spam us with it is a deal-ender.

    1. Re:By two-factor, they mean GIVE US YOUR PRIVATE # by Retired+Spy · · Score: 1

      Many people have a very good reasons for not wanting their email linked to a phone number. In places like Syria you could monitor email connections (even if you can't read the content) then use the phone SMS for localization for real time targeting information. This would be a good way to shut down/kill unauthorized and unaware journalists and careless just-in-country NGO personnel, not to mention rebels. You can use a VPN to hide your email connection but then Google goes and phones you back. Then it's fire mission, fire for effect... Not the way I would want to end my day... Perhaps a little dramatic, but the same thing can easily be done to deanonymize anyone...

    2. Re:By two-factor, they mean GIVE US YOUR PRIVATE # by Gussington · · Score: 1

      Many people...

      The scenario you just gave would be lucky to be relevant to even one person. Monitoring the email address of a target so you can track their cell phone so you can then airstrike them? How many Slashdot readers face this as real threat?
      i think "many" is a little bit of any overstatement.