Amid Data Breach, Google, Mail.ru and Yahoo Claim 98% of Leaked Credentials Bogus

Hundreds of millions of email login credentials -- affecting Gmail, Yahoo, Mail.ru (Russia's most popular email service), and Hotmail among other websites -- were being traded earlier this week in Russia's criminal underground. According to a report on Ars Technica, Google, Yahoo, Microsoft, and Mail.ru have now assured that the vast majority of leaked credentials are invalid. For instance, "More than 98% of the Google account credentials in this research turned out to be bogus," Google said. Dan Goodin reports: What has been clear all along to anyone paying attention is that the plaintext credentials recovered by Hold Security almost certainly didn't come from hacks on the e-mail providers. Instead, they most likely were collected by hackers who hit dozens, hundreds or thousands of third-party Web services over the years and dumped the account databases into a single list.

My Eye

This is self serving and hard to disprove. So go for it!

"dozens, hundreds, or thousands"

"dozens, hundreds, or thousands" - that's quite a range. I hope we never describe a car accident that way

First factor is for cows

You are all Cows. cows say Mooo. Mooo! Mooo! Mooo Cows Mooo! Mooo say the cows. YOU POST PASSWORD AGE COWS!!!

I bet...

... that was teh haxx0rz their fault too.

5 million+ Credentials Real!

[CanEHdian]

100% -/- 98% = 2%; 2% of 272,000,000 = 5,440,000 valid accounts & passwords. Getting a 2% success rate isn't so bad, is it?

Re:5 million+ Credentials Real!

[sims+2]

Still seems rather low considering the number of people that use the same password everywhere.

2% Milk

[rmdingler]

It's always the 2% that ruins it for the rest of us.

The rabble rallied in the cafeteria because a kitchen server spread a rumor the milk was only 2% milk and 98% water and adulterants. Now we get only skim.

I believe them

[Opportunist]

Of course only if you follow their definition of "bogus". That is "using names, addresses and other personal information that isn't quite in sync with that of the person registering the account".

Re:I believe them

[shawn2772]

Of course only if you follow their definition of "bogus". That is "using names, addresses and other personal information that isn't quite in sync with that of the person registering the account".

Cite? Where did you get the definition of bogus you "quoted"? It's not in TFA, and it's not the definition I'd expect any email service provider to use. The only valid definition is "account name and password gain entry into a non-suspended account".

Re:I believe them

[Opportunist]

Sorry, I didn't know I'd give away company secrets, I thought that's common knowledge by now.

Never mind, I haven't even been here.

Re:I believe them

[shawn2772]

Sorry, I didn't know I'd give away company secrets, I thought that's common knowledge by now.

What are you talking about?

Re:I believe them

[tlhIngan]

Well, I mean the sale price of it was $1 for it. Yes, a dollar. Then it dropped to merely "recognition". Yes, all those accounts are yours if you simply give the guy credit.

At this point it's basically too good to be true - the list is basically free and all the guy wants is credit? I don't know about you, but when it's too good to be true...

Someone wants to make a name for themselves and just amalgamated w huge list probably from other public lists of breached emails and addresses.

What we've learnt from this

[castus]

*) People's email credentials are being sold in large numbers on the black market
*) If you choose to buy some of these, it's not unlikely that you'll get many outdated or bogus credentials

Or in other words, planet Earth is still spinning around that big hydrogen ball

Re:What we've learnt from this

We're orbiting HYDROGEN?!

Oh god, didn't someone tell them that is flammable?!

Just got a warning from Google...

Telling me that access to my gmail account was blocked 1 hour ago when someone tried to log into my account using the correct password in Dallas, TX (no where close to where I live).

I decided to change my password to be on the safe side, then not 10 minutes later I notice this story. Could be a coincidence, but maybe not.

Re:Just got a warning from Google...

So Google known where you SHOULD log in and from WHERE you SHOULD not, isn't? This is also concerning...

Re:Just got a warning from Google...

[Motherfucking+Shit]

I got one of those emails yesterday ("Someone has your password") for a Gmail account I've never heard of, where someone was trying to login from overseas. Whoever created the Gmail had apparently registered my email address as the recovery account. There was a link in the email to disavow the Gmail account, so I did that. I found it a little disconcerting that someone was able to add my email address to their Gmail account without any notification or confirmation email being sent there.

Re:Just got a warning from Google...

Three words: Two-Factor Authentication.

Re: Just got a warning from Google...

As the first word is compound, that's only two...

2 million valid credentials leaked?

[ljw1004]

Story1: Of the 100 million credentials leaked, 98% are bogus

Story2: 2 million valid credentials have been leaked

The second story still seems pretty serious to me...

Re:2 million valid credentials leaked?

[castus]

98% for gmail, 99.98% for mail.ru

I wouldn't be surprised if you could do better than that by reusing passwords from other breaches
Everyone didn't get the don't-reuse-your-password memo

Hey... I have the same combination on my luggage

[SeattleLawGuy]

"More than 98% of the Google account credentials in this research turned out to be bogus," Google said.

In unrelated news, security researchers discovered today that 'bogus' is the most common password in the universe. They theorize it may have something to do with accidentally allowing Keanu Reeves near a phone booth.

Hmmm

3rd party login interfaces are evil

Hmmm

In putin's russia, acc vendors pwn you!

'Why Ars ignored this breach'

[Rexdude]

..because they couldn't be Ars-ed?