Mail.ru, Gmail, Yahoo, and Microsoft email heist: 272M accounts stolen | BGR

http://bgr.com/2016/05/04/mail-ru-gmail-yahoo-microsoft-email-heist/

Large data leak again!

2 Comments

  1. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Following highly publicized report of 272M email credentials for sale in Russia, Mail.ru and Google both say 98%+ of credentials on their services are invalid

    Garbage in, garbage out: Why Ars ignored this week’s massive password breach
    When a script kiddie sells 272 million accounts for $1, be very, very skeptical.
    http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wasnt-google-says-data-is-98-bogus/

    Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. “Big data breaches found at major email services” warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like “Tech experts: Change your email password now.”

    Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm’s entire report.

    “More than 98% of the Google account credentials in this research turned out to be bogus,” a Google representative wrote in an e-mail.

    Separately, Mail.ru, Russia’s biggest e-mail provider, has said that more than 99.98 percent of the credentials it received from security firm Hold Security turned out to be invalid accounts.

    Since most of these services require users to supply an email address as a user name, it’s not surprising that the compiled list would contain millions of addresses provided by some of the world’s biggest providers. But even if the credentials were valid—a big if, given the results of Google’s and Mail.ru’s analysis—that doesn’t mean the list automatically provided a way to gain access to an affected user’s Gmail or Hotmail account. That would happen only if a user reused the password on both a third-party website and the Gmail or Hotmail account. Yes, that practice is all too common, but it’s nowhere near universal.

    Reply
  2. Tomi Engdahl says:

    99.9% of Alex Holden’s Database Entries Are Invalid, Mail.Ru Group’s Security Analysis Shows
    https://corp.mail.ru/en/press/releases/9613/

    Mail.Ru Group’s Information security specialists have studied the sample of data received from Alex Holden. The analysis shows that 99.982% of Mail.Ru account credentials found in the database are invalid. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business.

    22.56% of the database entries analyzed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru

    Only 0.018% of username/password combinations in the sample analyzed might have worked. We have already notified the affected users to change their passwords.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*