Millions of Stolen Logins Sold For Under A Dollar

The tech community was buzzing this morning with the news that over 40 million, never disclosed before, stolen logins were for sale for 50 Rubies (about $0.75) in Russia’s criminal underworld.

Reuters, along with many other news organizations reported this morning that millions of hacked usernames and passwords for email accounts and other websites are being traded in the Russian deep web.

Technology security experts made that discovery of 272.3 million stolen accounts included a majority of users of (a Russian email service, similar to Gmail).  This “collection” is one of the biggest hacks discovered in the past two years and was made when experts at Hold Security discovered the Russian hacker, dubbed “The Collector”, touting his collection in an online forum.  The hacker reported that he had amassed the large number of stolen logins, reportedly totaling 1.17 billion records, from hundreds of third-party sources.

“For the reasons why the hacker virtually gave away the credentials – we do not know,” reported Hold Security founder Alex Holden.

Once the data was analyzed and the duplicates removed, the count was almost 90% of the total of active accounts, according to a 2015 end of year report.  There were millions of credentials for the world’s three big email providers, Gmail, Microsoft, and Yahoo, as well.  Thousands of logins for German and Chinese email providers were also discovered in the data.

“This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him,” reported a Hold Security expert. “These credentials can be abused multiple times,” they added.

The Register also wrote a great article about the hack if you are looking for more of the details.

So, what does this mean for you?

It’s time to change your passwords.

Best practice is changing your passwords every 60-90 days, but lets be honest, that doesn’t always happen.  So, use events like this hack to spur you to not only change your password, but create a secure password as well.  There are great tools to help you accomplish this.  Here are a few of my favorites:

Remember that hackers know, as is human nature, that we cling to passwords, not changing them regularly or not making them complex.  Hackers are often able to use old passwords found in one account to gain access to other accounts for that user.

Was my account affected?

Currently, none of the affected email providers in the US have released comments or recommended actions. ¬†According to the report from Hold Security, here’s how the numbers broke down for the US email providers:

  • The largest number belonged to Yahoo Mail at 15% of the stolen logins
  • 12% of the stolen logins belonged to Microsoft Hotmail users
  • Gmail users only accounted for 9% of the stolen logins