Information security firm claims it received 272 million unencrypted unique usernames and passwords from a hacker.
If you rely on Gmail, Hotmail or Yahoo, you may want to take a minute now and change the password. Information security consulting firm Hold Security claimed it had acquired a list of 272 million login credentials spread across all three webmail providers, as well as Russian company Mail.ru.
The highest proportion – 57 million – were said to be from the Russian email provider, although a spokesperson from Mail.ru suggested that after an initial investigation, the leak wasn't as bad as it first appeared.
“A large number of usernames are repeated with different passwords,” the Mail.ru spokesperson said. “We are now checking whether any combinations of username/password match – and as soon as we have enough information we will warn the users who might have been affected.”
Elsewhere, 40 million logins were said to be from Yahoo accounts, 33 million from Hotmail and 24 million from Google. All three providers said they were investigating the breach, although Microsoft added that any account in the list would require “additional information to verify the account owner and help them regain sole access”.
When approached by the hacker, Hold Security claimed that that instead of a big ransom demand, the cybercriminal's request was astonishingly modest: 50 rubles. That's a bit over A$1, which led Hold to be somewhat sceptical.
The hacker claimed that they just wanted rid of the data, but felt unable to give it away. Hold Security still refused this very low ransom out of principal, and they eventually secured the trove by adding a few likes and votes to the hacker’s social media page.
While it may sound like a generous offer from the hacker, Hold warned that the willingness with which he gave up the data suggests that the logins may already be out in the wild, so all the more reason to change your passwords now, if you haven't already.