Google and Yahoo have said they are "investigating" a breach of millions of Gmail and Yahoo email accounts, along with accounts from Microsoft's Hotmail service.
Hundreds of millions of email usernames and passwords are being traded in Russia's criminal underground after a recent security breach, Reuters reported on May 5. The breach is one the largest cases of stolen Internet credentials since an outbreak of hacks of U.S. banks and companies in 2014.
The 272.3 million email accounts breached consist of 57 million Mail.Ru accounts, Russia's most widely used email service, along with 40 million Yahoo Mail accounts, 33 million Hotmail accounts and 24 million Gmail accounts. The Inquirer also reports that 42.5 million of the accounts have never been leaked before in previous security breaches.
"We are still investigating, so we don't have a comment at this time," said a spokesperson from Google regarding the leaked information.
"We've seen the reports and our team is reaching out to Hold Security to obtain the list of accounts now," said a Yahoo spokesperson, adding that the company would update going forward.
A statement from Microsoft said its security programs could detect if a user's Hotmail account was breached, and that it would help affected users keep hackers out of their accounts.
The data breach was discovered by Alex Holden, founder and chief information security officer at Hold Security. Holden stumbled across a young Russian hacker who was bragging about the amount of data he had breached on an online forum. The hacker was asking for less than $1 in Russian rubles for all of the credentials, but Holden gained the information for free when he said he would promote the hacker online.
"This information is potent," said Holden, who in 2015 helped uncover a large data breach that included user information from Twitter and Facebook.
"It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," Holden warned. "These credentials can be abused multiple times."
A spokesperson for Mail.ru said the company was checking if any of the leaked credentials matched active accounts on the service, and that the company would warn any users who had been affected. She added that so far, none of the combinations of usernames and passwords matched accounts that were currently active.