X

Passwords and emails don't match up in cache of 272 million logins

Three email providers say their customers aren't at risk after the discovery of a hoard of login credentials.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read

Remember the quarter billion email addresses and passwords that were found on a hacking forum earlier this week? Don't worry about them, three email providers say.

Yahoo, Google and Mail.Ru say it's highly unlikely your account was jeopardized. The companies looked at a sample of the 272.3 million passwords that were discovered and concluded most were not related to the corresponding email accounts. While that's good news, the researcher who discovered the passwords said they still might be affiliated with other online accounts, which many people use their email addresses to log into.

As for your email account, though, you can relax.

"Our security team has investigated and we don't believe there is any significant risk to our [Yahoo Mail] users based on the claims shared with the press," Yahoo said in a statement.

Mail.Ru went further, saying the company found just 0.018 percent of the passwords were valid for the corresponding email address.

"The database is most likely a compilation of a few old data dumps collected by hacking Web services where people used their email address to register," Madina Tayupova, a Mail.Ru spokeswoman, wrote in an email.

Passwords, passwords everywhere

Google also found a very small rate of accounts that were legitimately affected. "More than 98 percent of the Google account credentials in this research turned out to be bogus," a company representative wrote in a statement. "As we always do in this type of situation, we increased the level of login protection for users that may have been affected."

Alex Holden, the chief information security officer at Hold Security, discovered the cache of login information after a Russian-speaking member of a hacking forum bragged he had put together a giant heap of account credentials. According to Holden, the hacker was willing to trade the data for positive comments on the hacking forum.

Holden said he still believes there's reason to be concerned about the usernames and passwords he found.

The passwords may not correspond to the email accounts of the people listed, but they could very easily be someone's login for "Twitter or Facebook or ten thousand other services," Holden said.

The other email service caught up in the data dump is Microsoft's Hotmail. The company didn't respond to a request for a comment.