Login details for more than 272 million Gmail, Hotmail and Yahoo! accounts are being traded by Russian cybercriminals, it has been revealed.
According to research from cybersecurity firm Hold Security, the majority of leaked login credentials relate to Mail.ru, Russia''s most popular email service.
However, Reuters reports that millions of Google, Yahoo! and Microsoft email accounts have also been stolen, affecting internet users across the world.
It is one of the biggest stashes of stolen login credentials in internet history, and users are rightly worried.
Hold Security claims it came across the database on a Russian hacker forum, where one user was bragging that he had obtained the details for around 1.17 billion email accounts.
After combing through the database, the company found the real number was much smaller, but some companies have still been badly hit. The cache reportedly contains 57 million Mail.ru accounts, affecting most of the service''s 64 million active users.
Stolen passwords can fetch a good price on the black market, but the Russian hacker was only asking for 50 roubles (around 52p) for the entire trove. He eventually handed the cache over to Hold Security researchers after they said they would post favourable comments about him on the internet, to stay in line with their policy of never paying for stolen data.
Speaking to the news agency, Hold Security founder Alex Holden said: This information is potent. It is floating around in the underground and this person had shown he''s willing to give the data away to people who are nice to him.
These credentials can be abused multiple times, he added.
The stolen logins can obviously be used to access email accounts, but users who tend to have the same password for multiple websites are even more vulnerable.
Users concerned about the leak would be wise to change their passwords, start using different passwords for different accounts, and enrol in two-step verification on supporting sites.
Now, Mail.ru is analysing the password database, to check if the entries actually match up to user accounts.
A Microsoft spokesperson said: Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
The Independent has contacted Google and Yahoo! for comment. – The Independent