Euro Security Watch with Mathew J. Schwartz

Authentication , Data Loss , Data Loss Prevention (DLP)

Mail.Ru Says Leaked Credentials 99.982% Invalid

But Hold Security Claims Leaked Email Addresses Pose Phishing Risk
Mail.Ru Says Leaked Credentials 99.982% Invalid

A security firm's report that it obtained 1.17 billion email credentials from a young Russian hacker is "media hype," according to Russian email service Mail.Ru, which says virtually all of the leaked data for its users - a substantial subset of the leaked data - is invalid (see: 272 Million Stolen Credentials For Sale? Don't Panic).

See Also: Webinar | The Future of Adaptive Authentication in Financial Services

Hold Security CISO Alex Holden told Reuters that his firm obtained the collection of leaked data, including 272 million unique credentials, for free from a young Russian hacker that he dubbed "the collector." The security company said the collector's data set included login credentials for multiple email services, including Gmail, Hotmail and Yahoo, as well as 57 million accounts for Mail.Ru. But Holden also said that it wasn't clear how many of the credentials might work.

"It's sad that this case casts a shadow over their image." 

On May 6, after analyzing the 57 million Mail.Ru credentials included in the dump, Mail.Ru determined that virtually all of the account credentials for its users are invalid, a company spokesman tells me. "According to Holden himself, 99.55 percent of the username/password combinations are outdated. Our analysis shows that the number of the expired or otherwise invalid combinations is even higher (99.982 percent)," Anna Artamonova, who heads Mail.Ru's email and portal division, says in a statement. "The number of Mail.Ru accounts in the database is large due to the fact that Holden has acquired the database from a Russian 'hacker,' and Mail.Ru is the biggest email provider in Russia and the Russian-speaking Internet segment."

Mail.Ru says it notified the 0.018 percent of affected users whose valid credentials were found in the dump. But 23 percent of the Mail.Ru email addresses in the data dump don't exist, Mail.Ru said, and 64 percent have incorrect passwords - although that could also be because the email address was being used for a different website. Finally, 12.4 percent of the Mail.Ru accounts included in the data set "had already been marked as suspicious," meaning "our system considers those either hacked or controlled by a robot, and blocked," thus requiring users to go through account-recovery procedures to regain access.

Accusation: Report is Hype

Artamonova says that the collection of credentials "is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register," thus suggesting that most of the other data included in the leak is also outdated.

Given the fact that the data dump of credentials for Mail.Ru users was almost completely outdated, "it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden's cybersecurity business," Artamonova contends.

But Holden has called those allegations "baseless," and said his firm responded quickly to all of Mail.Ru's inquiries, including sharing the data leak with the email provider directly, so it could determine whether the information posed a risk and take appropriate measures to protect any affected customers.

Holden also repeated that of the 1.17 billion credentials his firm obtained on underground forums, it had already reported that only 42.5 million credentials appeared to be new, while it had seen the rest in prior data dumps. "We reported accurately that a person from Russia gathered hundreds of millions of stolen credentials and gave them away to fellow hackers - or security researchers posing as hackers," he says.

Service Providers Monitor Dumps

In the wake of Holden's initial report, I reached out to Google, Microsoft and Yahoo, to ask how they were responding, and if any of the account data appeared to be valid. Google has yet to respond.

But Yahoo has dismissed the report. "Our security team has investigated and we don't believe there is any significant risk to our users based on the claims shared with the press," a Yahoo spokeswoman tells me. "We always encourage our users to create strong passwords ... or, even better, eliminate use of passwords altogether by using Yahoo Account Key."

Microsoft hasn't commented on these leaked credentials, but has emphasized its related defenses. "Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers," a Microsoft spokeswoman told me. "Microsoft has security measures in place to detect account compromises and requires additional information to verify the account owner and help them regain sole access to their account."

Mail.Ru says it, too, actively monitors data dumps on behalf of its users. "We regularly monitor the web for credential dumps and check them in order to take steps to protect our users when necessary. We take a very serious approach to ensure our users' security, and we take special pride in our information security team," Artamonova says. "It's sad that this case casts a shadow over their image."

But Holden tells me that wasn't his intention. "I have no reason to doubt that security measures of the Mail.Ru services are good," Holden says. He contends, however, that the valid email addresses that his firm turned up in the data dump could be used for phishing and spamming attacks.

This story has been updated with new comments from Yahoo.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.