Dan Goodin / Ars Technica:
Following highly publicized report of 272M email credentials for sale in Russia, Mail.ru and Google both say 98%+ of credentials on their services are invalid
Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. “Big data breaches found at major email services” warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like “Tech experts: Change your email password now.”
Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm’s entire report.
“More than 98% of the Google account credentials in this research turned out to be bogus,” a Google representative wrote in an e-mail.
Separately, Mail.ru, Russia’s biggest e-mail provider, has said that more than 99.98 percent of the credentials it received from security firm Hold Security turned out to be invalid accounts.
Since most of these services require users to supply an email address as a user name, it’s not surprising that the compiled list would contain millions of addresses provided by some of the world’s biggest providers. But even if the credentials were valid—a big if, given the results of Google’s and Mail.ru’s analysis—that doesn’t mean the list automatically provided a way to gain access to an affected user’s Gmail or Hotmail account. That would happen only if a user reused the password on both a third-party website and the Gmail or Hotmail account. Yes, that practice is all too common, but it’s nowhere near universal.
Mail.Ru Group’s Information security specialists have studied the sample of data received from Alex Holden. The analysis shows that 99.982% of Mail.Ru account credentials found in the database are invalid. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business.
22.56% of the database entries analyzed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru
Only 0.018% of username/password combinations in the sample analyzed might have worked. We have already notified the affected users to change their passwords.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
2 Comments
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Following highly publicized report of 272M email credentials for sale in Russia, Mail.ru and Google both say 98%+ of credentials on their services are invalid
Garbage in, garbage out: Why Ars ignored this week’s massive password breach
When a script kiddie sells 272 million accounts for $1, be very, very skeptical.
http://arstechnica.com/security/2016/05/the-massive-password-breach-that-wasnt-google-says-data-is-98-bogus/
Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. “Big data breaches found at major email services” warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like “Tech experts: Change your email password now.”
Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm’s entire report.
“More than 98% of the Google account credentials in this research turned out to be bogus,” a Google representative wrote in an e-mail.
Separately, Mail.ru, Russia’s biggest e-mail provider, has said that more than 99.98 percent of the credentials it received from security firm Hold Security turned out to be invalid accounts.
Since most of these services require users to supply an email address as a user name, it’s not surprising that the compiled list would contain millions of addresses provided by some of the world’s biggest providers. But even if the credentials were valid—a big if, given the results of Google’s and Mail.ru’s analysis—that doesn’t mean the list automatically provided a way to gain access to an affected user’s Gmail or Hotmail account. That would happen only if a user reused the password on both a third-party website and the Gmail or Hotmail account. Yes, that practice is all too common, but it’s nowhere near universal.
Tomi Engdahl says:
99.9% of Alex Holden’s Database Entries Are Invalid, Mail.Ru Group’s Security Analysis Shows
https://corp.mail.ru/en/press/releases/9613/
Mail.Ru Group’s Information security specialists have studied the sample of data received from Alex Holden. The analysis shows that 99.982% of Mail.Ru account credentials found in the database are invalid. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business.
22.56% of the database entries analyzed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru
Only 0.018% of username/password combinations in the sample analyzed might have worked. We have already notified the affected users to change their passwords.