Details of some 42.5 million email accounts have been offered for sale at a value of mere pence, though at least one of the companies involved is claiming none of the accounts relate to currently-active username and password combinations.
Discovered by Hold Security
, the leak contains a total of 272 million unique email address and plain-text password pairs from Gmail, Yahoo Mail, Hotmail, and Mail.ru. From those 272 million, 42.5 million were new and had not been found in previous leaks - a low hit-rate which is causing some security experts to question the legitimacy of the data obtained by Hold Security and its apparently alarmist claims regarding the leak.
'Another data breach or a repackaged one? Firstly lets have perspective and keep to what is emerging about this very large breach of 272 million email addresses,
' opined AVG Technologies' Tony Anscombe of the leak. 'Only 42.5 million are new, the rest have been seen in previous breaches.
' Pointing to claims from Mail.ru that 'a large number of usernames are repeated with different passwords [and] the first check of a sample of data showed that it does not consist of any real life combinations of usernames and password,
' Anscombe suggested that 'if the data is not ‘live’ then it explains why the hacker readily gave it away. It seems unlikely that someone would go to the effort of stealing data only to give it away.
The trove of data, which Hold Security has called The Collector Breach, was offered for sale to the company for a mere 50 Rubles - less than 53p at current exchange rates. Hold refused to pay even this token amount, however, with the unnamed source eventually agreeing to provide the database in exchange for 'likes/votes to his social media page
The companies involved in the leak have indicated that their investigations are ongoing, and that accounts found to be compromised will be contacted to change associated passwords. Where available, companies are also pointing to two-factor authentication (2FA) systems as a way to protect accounts from abuse following leaks such as these. In no cases have any of the companies suggested how the leaks occurred, if indeed the data is in any way legitimate, nor how the plain-text passwords were included.