humongous data breaches at major mail services - Hotmail, G-Mail, Yahoo Mail and Mail.ru

[zMeul]

source: http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6

Quote

 

The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden, the former chief security officer at U.S. brokerage R.W. Baird. "These credentials can be abused multiple times," he said.

...

After being informed of the potential breach of email credentials, Mail.ru said in a statement emailed to Reuters: "We are now checking, whether any combinations of usernames/passwords match users' e-mails and are still active.

"As soon as we have enough information we will warn the users who might have been affected," Mail.ru said in the email, adding that Mail.ru's initial checks found no live combinations of user names and passwords which match existing emails.

A Microsoft spokesman said stolen online credentials was an unfortunate reality. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."

Yahoo and Google did not respond to requests for comment.

Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.

Thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies, he said.

 

you have mail account at one of these providers? change your password, use two factor authentication by either a authenticator app (google) or via SMS

once again, on-line service providers prove they don't give a flying fuck about their customers - what's even more sad is that it took a loud mouth to brag on the internet, otherwise no one would've known until too late

 

---

 

I know HotMail was renamed Outlook - I'll will continue to call it HotMail to distinguish it from the MS' mail client, Outlook

 

---

 

a few years back when two factor auth wasn't a thing, my HotMail account was compromised or MS detected suspicious activity and MS locked it down

I had to remember a lot of shit, including details from latest mail sent or received on that account to regain access to my account .. was a pain, but I did it

as soon as two factor (SMS) was a thing, I enabled it on all services that supported; later on I bought my 1st smartphone just for this task alone, and I still use that same phone

Edited May 4, 2016 by zMeul

[GoZone]

The title for this though..... Almost all lowercase and Hotmail is dead, its Outlook now.

[Tech N Gamer]

Welp, good thing I use 2-factor authentication. I might change my password again just to be sure. Also, Hotmail is dead, it's  outlook.

[Ridska]

I use 2 factor authentication as well with my phone but just to be extra safe , I bumped up the tightness of the password.

[DevilishBooster]

Good thing I already use 2-factor authentication and a really strong passphrase.

[Master Disaster]

Well at least he hasn't tried to blame the breach on AMD

 

Both my MS & Google accounts are 2 factor protected so if anyone tries to sign in I get notified by Email and through the Authentication App on my tablet so if that happens I'll change my passwords again.

[Ronda]

So... the source is a guy on a forum?

If that sounds credible to you, I have some magic beans for sale.

[GoodBytes]

29 minutes ago, zMeul said:

you have mail account at one of these providers? change your password, use two factor authentication by either a authenticator app (google) or via SMS

once again, on-line service providers prove they don't give a flying fuck about their customers - what's even more sad is that it took a loud mouth to brag on the internet, otherwise no one would've known until too late

 

Sorry, but companies don't have alert sirens when it detect someone hacking their server.

They only know after doing investigative work in looking at connections, and strange behaviors.

 

Also, anyone can say  "I have all xyz logins", doesn't means that they do. Any kid desperate to showoff and like to sound "cool" can say that.

I like to see proof of his claims.

 

[WereCat]

I dont quite understand. Do they have access to all of those emails or they got only those with weak passwords?

[dalekphalm]

How'd he get the data? Specifically for Google and Microsoft accounts? Because there's a big difference between them hacking into Google and/or Microsoft and stealing passwords - I imagine that'd be quite difficult indeed (though certainly not impossible). I'm more inclined to believe - if this is even real - that these are passwords stolen directly from users, via weak passwords, or compromised client PC's via malware.

 

My Microsoft Account password is pretty well impossible to guess, for example. Social engineering would be useless unless you convinced me to straight up tell you my password. (and no, it's not "password")

[suicidalfranco]

7 minutes ago, dalekphalm said:

How'd he get the data? Specifically for Google and Microsoft accounts? Because there's a big difference between them hacking into Google and/or Microsoft and stealing passwords - I imagine that'd be quite difficult indeed (though certainly not impossible). I'm more inclined to believe - if this is even real - that these are passwords stolen directly from users, via weak passwords, or compromised client PC's via malware.

 

My Microsoft Account password is pretty well impossible to guess, for example. Social engineering would be useless unless you convinced me to straight up tell you my password. (and no, it's not "password")

and no, it's not "password"

is it "Password"?

[TetraSky]

meh, I have 2 factor authentication and I'm pretty sure google would notice me if some dude in Russia tried to access my account.

As for my other accounts, none reuse the same password, it's all randomly generated stuff made with keepass.

[Citadelen]

The title, my eyes are burning.

Please use capitals and punctuation in the appropriate places.

[Sors]

Someone tried to login in my email some weeks ago, I have no idea where or how they got that info, but this would explain it.

 

Luckily I had switched to 2 step authentication in all my accounts a few days before it happens, so they couldn't actually get in my email.

[79wjd]

I'm not even going to change my password. 

 

#thuglyfe

[Arty]

2 hours ago, dalekphalm said:

convinced me to straight up tell you my password. (and no, it's not "password")

i could tell you my password, but useless without my phone ;).

#2step

 

ALL services need to have 2step as an option.

[NoobsWeStand]

Any ideas on how?

I would guess they would have hashed and salted the passwords, so it would take a very long time to crack them?

[multifrag]

20 letters password+every website has unique password+2Step verification. Yet to see my email in one of those lists.

[NateGSR117]

Good thing I use two factor authentication on all my emails ??

[Misanthrope]

I'm just surprised you didn't manage to find a way to pin this on AMD dude, but carry on.

 

Also yeah data leaks suck lets hope is so massive chances of your data being compromised are slim, kind of like a needle in a haystack situation.

[Trik'Stari]

15 hours ago, GoZone said:

The title for this though..... Almost all lowercase and Hotmail is dead, its Outlook now.

And it's still dead for everyone except retarded businesses.

[Garfieldus]

While I'm not denying a possibility of huge data breach but it seems unlikely that all big services got hit without any1 noticing anything. Most likely scenario would be that he may have breached mail.ru and complied google/yahoo/hotmail from other sources.

 

I mean I could go and buy email + password combinations for few bucks, compile those into 1 file and brag how big of a hacker I am while in reality I simply bought them from the dude who's hacking some unprotected community databases and extracting emails + passwords from them. Since many are lazy and using same password everywhere ofc some1 checking will find matches. 

[shermantanker]

I use outlook, but have had 2 step setup for over a year now. Glad I did.

[AlTech]

17 hours ago, GoodBytes said:

Sorry, but companies don't have alert sirens when it detect someone hacking their server.

They only know after doing investigative work in looking at connections, and strange behaviors.

 

Also, anyone can say  "I have all xyz logins", doesn't means that they do. Any kid desperate to showoff and like to sound "cool" can say that.

I like to see proof of his claims.

 

Holy fucking shit. this is a wakeup call. DO we know which accounts were compromised?

 

I need to add 2 factor to all of my email accounts (I have 2 for personal that I use and then 1 apple one I don't use and 1 school one)

[deviant88]

its AMD fault, theres no security on the web to begin with barely any, unless we reinvent the web if theres anything we can do to begin with