Hacker trades 272 million passwords for social media likes

Security researchers find a hacker bragging online that he'd amassed a mountain of passwords. And he didn't want much in return for them.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read
James Martin/CNET
Watch this: Hacker gives away millions of email passwords for a few compliments

Your passwords are worthless.

At least, that's the message coming from a hacker who traded more than 272 million account credentials to a cybersecurity company in exchange for praise on a social media platform for hackers.

The passwords and usernames belonged to accounts from Russia's largest email provider, Mail.Ru, as well as a smaller number of accounts each from Gmail, Yahoo Mail and Microsoft Hotmail. Though it doesn't mean there was a breach of the email services themselves, the cache, first reported by Reuters, contains a huge amount of data. Cybersecurity experts say trades like this are an everyday occurrence and show how exposed our passwords really are.

Alex Holden, chief information officer at Hold Security and a cybersecurity researcher who specializes in Eastern European hacking, said the hacker originally offered the cache to the company for the equivalent of just $11, but after some negotiating provided the information in exchange for plaudits on a members-only hacking forum.

"He didn't value this data," Holden said.

Mail.Ru said the company was examining the data to see how many passwords were currently connected to email accounts. "As we have enough information we will warn the users who might have been affected," the company said in the statement. "Mail.Ru email service has been working hard to continuously improve its security system."

Yahoo said it is also trying to examine the list of credentials.

"We've seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now. We'll update going forward," the company said in a statement.

Microsoft didn't confirm whether its users were affected by this data dump, but it did note that the posting of passwords is a problem.

"Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these, or someone sends them to us, we act to protect customers," a Microsoft spokesman said in a statement. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account."

Google declined to comment on the specific incident. The company wrote a blog post in 2014 about the problem of "password dumps," offering tips to users on what to do when such lists are posted online.

"It's important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems," the company wrote in the blog post, which responded to a different data dump.

Even though the hacker practically gave the login information away for free in the data dump revealed Wednesday, it's valuable to email users, who would do well to change their passwords often and never reuse them on other accounts, Holden said. They should also take advantage of two-factor authentication on their most valuable accounts, he said, even if it's a little inconvenient.

That's the login technique that verifies who you are by sending you a text message or push notification to a separate phone or tablet. Mail.Ru said in a statement that it began offering a two-factor system last year, along with other increased safety measures; the other affected email providers also offer that service.

Holden said his company has found the three-largest password caches online ever, including this one, "not that it's a good thing to hold that record." Large troves of credentials get passed around all the time, he said.

Big data breaches tend to yield passwords, as do phishing campaigns and other efforts that trick Internet users into handing their credentials over to phonies. Some people on dark corners of the Internet will compile huge lists out of these smaller caches, like the one Holden's company discovered. So while the cache revealed Wednesday seems like a big deal, it's also just the tip of the iceberg.

"It's a huge amount of credentials," said Holden, "but credentials are being stolen and trafficked on a daily basis."