Several high-profile email providers have been the subject of a leak of user account information, which includes usernames, email addresses and unencrypted passwords. The leak involves multiple services; popular names such as: Gmail, Yahoo Mail, Hotmail and Mail.ru.
The security firm that discovered the breach, Hold Security, believes that many of the accounts involved in this leak have not been previously leaked. According to its analysis there are over 272 million unique email and unencrypted password pairs, where 42.5 million have not been previously leaked.
Hold Security was able to get a hold of the data for free. The hacker originally asked for 50 roubles (equating to around 75 cents or 52 pence) for the entire list. Instead, an agreement was reached to provide the data for free if the firm was to post positive comments about the hacker in a forum.
The major worry with this breach is the hackers willingness to provide the data at no cost, or for virtually nothing. In a statement from Alex Holden, chief information security officer at Hold Security, he said:
What makes this discovery more significant is the hacker's willingness to share these credentials virtually for free, increasing the number of... malicious people who might have this information.
A breakdown of the major services affected showed the scale of the leak:
- 57 million accounts for Mail.ru
- 40 million for Yahoo Mail
- 33 million for Hotmail
- 24 million for Gmail
Mail.ru was the service most affected, having 57 million accounts leaked, although Yahoo Mail wasn't far behind with 40 million.
Statements from several of the providers have been released.
A spokeswoman for Mail.ru said that they are "now checking whether any combinations of username/password match" active accounts and will "warn the users who might have been affected".
Microsoft stated that they would require "additional information to verify the account owner and help them regain sole access", whilst explaining that they have measures in place to prevent access.
Google said that they are "still investigating, so we don't have a comment at this time".
Yahoo said that they have "seen the reports" and their "team is reaching out to Hold Security to obtain the list of accounts". They will provide further updates once they know more.
The concern of this leak does not lay solely with people being able to gain access to one's email account, but also that these details could be used to send bulk phishing emails.