Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld (reuters.com)

Posted by msmash on from the big-data-breach dept.

Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"

6 of 73 comments (clear)

  1. Russians by 110010001000 · · Score: 4, Funny

    Kennedy should have gotten rid of them when he had the chance! They are reading our Hotmail!

  2. Run your own email server by jfdavis668 · · Score: 4, Funny

    Follow Hillary Clinton's example, and just run your own server.

  3. ...and the sky is blue by campuscodi · · Score: 3, Interesting

    Thank God for Reuters.... otherwise we would have never found out. Ever since Reuters started a "security" news section this past winter, they're pointing out the most obvious things lately. Tomorrow's story is "malware infects Windows computer"

  4. Federated authentication by mi · · Score: 5, Insightful

    Two-Step Authentication

    No guarantee. A lot can be obtained from third-party sites, to which people login using their existing accounts. It is not only Slashdot, which allows you to login with your Yahoo! or Facebook credentials...

    When you use this method on a web-site, you get a notice, that you authorize the site to "access your contacts" and some other information. This is easy for the sites to set up and they like it because they want to encourage people to comment — it increases "pageviews". The site itself may not be abusing this access (some operators may not even realize, they have it).

    Unfortunately, not all sites are good at guarding it — this is how your entire Yahoo! addressbook, for example, may end up in the criminals' possession without them ever actually accessing your mailbox. Having such addressbooks, spammers can (and do!) generate customized spam in which you appear to be the sender for each of your contacts and which opens with the salutation you used to identify the contact. Such spams, obviously, have a far higher chances of being read by the victims — and the links in them are much more likely to be clicked.

    --
    In Soviet Washington the swamp drains you.
  5. Captain Obvious by JustAnotherOldGuy · · Score: 3, Interesting

    "Exclusive: Big data breaches found at major email services - expert"

    Wow, no shit?? Bloomberg is really on the cutting edge of newsy stuff, like fer sure. Oooh, and their big discovery is "Exclusive" too.

    You could run this headline every day and it would be true. Has Bloomberg just discovered email and hackers and stuff?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  6. Re:Another reason for 2FA by RubberDogBone · · Score: 3, Insightful

    2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

    If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

    --
    Sig for hire.