272 million email account credentials found on the dark web

Hold Security paid nothing for the trove of email credentials
Hold Security paid nothing for the trove of email credentials

Hold Security is reporting that one of its researchers discovered, and then acquired, a mega-size load of 272 million stolen email credentials from a hacker.

The security research firm said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17 billion stolen credentials, from Google, AOL, Yahoo and Mail.ru, from various places on the dark web. When Hold's team boiled this list down, comparing the newly acquired data to data already in its possession, it found 272 million of the email credentials were unique with 42.5 million having never been disclosed. The remainder were already known to be compromised.

In spite of the huge volume of records that were found, the price paid to the hacker by Hold Security is even more amazing.

Nothing.

The original asking price was 50 rubles, less than £1, but Hold bargained the hacker down.

“In all reality, 50 rubles is next to nothing, but we refuse to contribute even insignificant amounts to his cause. It is rather funny to negotiate over this, but finally the hacker just asks us to add likes/votes to his social media page (so much for anonymity). That we can do, and once he is satisfied with the results we get a link to an incredible 10 gigabytes in a compressed database, which takes us more than hour to download,” Hold wrote.

Industry experts put forth several reasons for the hacker giving away the data, ranging from it being a supply and demand issue to the fact that they were unverified and thus possibly worthless to a buyer.

“My guess is the credentials were either unverified or specifically stale (abandoned accounts, for instance). He probably gathered it from dumps of previous breaches of other vendors, so it's likely that he didn't do the work of stealing the data so much as he probably just garbage-collected it from around the web,” Lysa Myers, Security Researcher at ESET told SC in an email.

Jonathan Cran at Bugcrowd said in an email to SC the emails could still prove useful, but “the half life of stolen credentials is decreasing as SaaS providers such as mail.ru or Gmail get faster at invalidating them.”

“These kind of mail credentials are useful for spammers and scammers who utilize accounts to spread malware and further their own access,” Myers pointed out.