Hacker leaks millions of Hotmail, Gmail, and Yahoo Mail usernames and passwords

A number of major webmail services have suffered one of the largest security breaches in recent years. The account details of Gmail, Yahoo Mail, Hotmail, and Mail.ru are just four of the services affected.

Security firm Hold Security says that it has been contacted by a hacker in possession of 272 million unique pairs of email addresses and unencrypted passwords. This is far from an insignificant number, and the situation is made all the worse as the data is being freely shared for just about anyone to access.

Hold Security says that it was initially contacted by the hacker who was seeking a nominal fee for access to gigabytes of data. Unwilling to contribute to the hacker financially, the security firm negotiated and obtained the data for free. This initially appeared disappointing as it comprised data collected from previous security breaches. But with a little probing, things became more interesting:

When we peel back the layers and dig deeper, we find that the hacker is holding something back from us. Within several days of communication and after a couple more strategically timed votes on his social media pages, he shared more useful information. At the end, this kid from a small town in Russia collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials -- 15% of the total, that we have never seen before.

There is obviously potential for this data to be misused. Talking to the BBC, Alex Holden from Hold Security said:

There are hacker sites that advertise 'brute forcing' popular services and store fronts by taking a large amount of credentials and running them one-by-one against the site. What makes this discovery more significant is the hacker's willingness to share these credentials virtually for free, increasing the number of… malicious people who might have this information.

But while the numbers seem high -- 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts and 24 million Gmail accounts -- Mail.ru says that not all of the data is valid. Microsoft, Google and Yahoo are all currently investigating the data and talking with Hold Security.

Photo credit: Brian A Jackson / Shutterstock