Millions of Gmail, Yahoo, Hotmail Email Accounts Being Traded in Russian Underworld (reuters.com) 73
Eric Auchard, reporting for Reuters (edited and condensed): Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia's most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users (Editor's note: the numbers are: 57M Mail.ru, 24M Google, 40M Yahoo, and 33M Hotmail), said Alex Holden, founder and chief information security officer of Hold Security. [...] The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records.Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?"
Russians (Score:5, Funny)
Re: (Score:2)
No surprise here (Score:3)
Re: (Score:2)
Run your own email server (Score:5, Funny)
Re: (Score:1)
If we followed Hillary Clinton's example, we'd sell our enemies other precious resources for personal gain besides just the uranium. That traitor can go to hell.
Re: (Score:3)
If we followed George Bush's example we'd ignore 8 months of daily warnings of an impending attack and let 3,000 people die in the span of a few hours, then turn around and claim there was on way to prevent the attack.
Afterwards, you'd make up some excuse, including making up false documents, to invade and occupy a foreign country which had nothing to do with anything while at the same time letting the person who planned the worst terrorist attack in U.S. history escape because you ignored every request fro
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I skipped the middle-man. I moved my email to being hosted by Yandex. Yes, yes that company. However, it might actually be safe from the NSA - specifically. I'm pretty sure Putin's reading it daily and I guess that's okay. Ah well... At least I keep mail separate from my domain - 'cause the domain is down as they dorked the move but I shan't burden you with my tale of woe. I do, on the other hand, want to vent. I'll spare you that too. ;-)
Re: (Score:2)
Hmm ... not sure if you're being sarcastic. (?)
If not, then I consider myself in esteemed company. I moved my email so it's now hosted by Mail.ru. (Domain held separately.)
I did a little Googling* and saw that Putin has been critical of Yandex but not Mail.ru. (Quite harshly, in fact.)
And historically, he's not on the best of terms with the individuals leading Yandex, but seems amicable with those of Mail.ru.
Also, Mail.ru's email is scanned by Kaspersky, which I find is often singled-out / ridiculed by main
Re: (Score:2)
I have much, much to respond. I sat here for a few minutes and decided that brevity, for a chance, would be my chosen route.
I am not even remotely kidding. Not only do have have my site's email configured to use Yandex, I have a standing offer to allow site visitor/participants to ask for and receive a Yandex email of their own. At some point, I'll document how it is done and let people do it themselves - it's not terribly difficult.
It does help to read Russian but I think, I'm not positive, that you might
Re: (Score:1)
Why stop with Russia? China, Nigeria, Ukraine, South Korea, and others, including the USA and UK, harbor hacker gangs. Disconnect them all!
Re: (Score:1)
"The Net interprets censorship as damage and routes around it." -- John Gilmore
The good reason why it isn't done is that there is no such cable that you can sever to disconnect Russia.
Re: (Score:1)
Because in Soviet Russia, cable disconnects you!
Another reason for 2FA (Score:2)
Re:Another reason for 2FA (Score:4, Insightful)
2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic... [csoonline.com]
If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.
Re: (Score:2)
2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic... [csoonline.com]
If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.
Luckily Paypal isn't trusted with something so important as your online identity - just your funds.
Re: (Score:2)
At least Amazon requires a notarized letter to turn off 2FA on AWS.
Re: (Score:2)
As you seem to possibly know a bit about this, do you know if there are any second factor devices that are compatible with gmail that are screen based rather than NFC/USB based?
Will they work with an RSA token instead?
yeah, boss. that's it. that's what happened. (Score:3)
Cut to the chase (Score:2)
Re: (Score:2)
According to the article, the hacker sold the userids and pwds (something like 150 million) for about $1.
Re: (Score:2)
I'm not even a criminal or anything. I'll give 'em $10 for that. I'm not sure what I'd do with 'em but it'd be an awesome buy. I'm pretty sure it'd not be illegal for me to buy them either. I'm positive it would be illegal for me to *use* them but I don't think it's a crime to buy 'em. Hell, a buck isn't bad at all.
Meh, I'm pretty sure they don't need my email address. My government already gave 'em a bunch of data. Well, they didn't *give* it to them but, if I read everything properly, they didn't try real
...and the sky is blue (Score:4, Interesting)
Re: (Score:3)
Tomorrow's story is "malware infects Windows computer"
WHAT YOU SAY???
Re: (Score:2)
Dude, no kidding. It could happen! ;-)
Err... Ignore me - I'm venting.
Two-Step Authentication (Score:1)
It's easy and it works!
Google (Gmail) [google.com]
Yahoo [yahoo.com]
Microsoft (Hotmail) [microsoft.com]
Federated authentication (Score:5, Insightful)
No guarantee. A lot can be obtained from third-party sites, to which people login using their existing accounts. It is not only Slashdot, which allows you to login with your Yahoo! or Facebook credentials...
When you use this method on a web-site, you get a notice, that you authorize the site to "access your contacts" and some other information. This is easy for the sites to set up and they like it because they want to encourage people to comment — it increases "pageviews". The site itself may not be abusing this access (some operators may not even realize, they have it).
Unfortunately, not all sites are good at guarding it — this is how your entire Yahoo! addressbook, for example, may end up in the criminals' possession without them ever actually accessing your mailbox. Having such addressbooks, spammers can (and do! [stackexchange.com]) generate customized spam in which you appear to be the sender for each of your contacts and which opens with the salutation you used to identify the contact. Such spams, obviously, have a far higher chances of being read by the victims — and the links in them are much more likely to be clicked.
Re: (Score:2)
Re: (Score:1)
This is simple... (Score:2, Informative)
1. Don't log into websites with a Google, Microsoft, or Facebook account. This is patently stupid and only those who don't understand security will do this and claim "it's easy", or "it's convenient". You get what you have coming if you go this route.
2. Firewall email and other accounts. IOW, have an account for important personal things. Have an account for trivial things. Have a throwaway account for quick signup that are not important. With Facebook and other privacy-nightmare sites, use an email account
Re: (Score:2)
Its probably safe to block all posts containing "goat.cx" at this point since the domain is parked.
Mail.ru (Score:2)
A friend that runs a small anti-spam company says that he's "never seen a legit email" from Mail.ru, period.
I'm sure they exists, but when they're only 0.000000000000000000000001 of the volume, it's probably hard to detect.
Re: (Score:2)
For whatever it's worth, someone on the Mail.ru security team is credited with discovering recent critical ImageMagick vulnerabilities [imagetragick.com] (and now I'm wondering if that's how they were compromised). So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.
Re: (Score:2)
So while they may not send a lot of legit mail outside of Russia, I'd say Mail.ru is still a net positive.
That's like saying "the tsunami that washed your burning house out to sea put out the fire, so lets have a round of applause for the tsunami."
Or...to use a car analogy: the car accident turned you into a quadriplegic, but the upside is that you won't ever need to go shopping for clothes again!
Captain Obvious (Score:4, Interesting)
"Exclusive: Big data breaches found at major email services - expert"
Wow, no shit?? Bloomberg is really on the cutting edge of newsy stuff, like fer sure. Oooh, and their big discovery is "Exclusive" too.
You could run this headline every day and it would be true. Has Bloomberg just discovered email and hackers and stuff?
By U.S. Dept. of Fear? (Score:1)
There is a Russian underworld? (Score:1)
Re: (Score:2)
There is a Russian underworld? I thought the Russian underworld successfully merged with the Russian government during the Yeltsin era and is now literally blossoming under Putin.
You are correct. Check out the "Russian Business Network", or RBN. They're definitely part of the day-to-day operations of the Russian economy and are meshed intimately with the government at nearly every level. They make the Mafia look like rank amateurs.
This is probably a scam (Score:1)
This story has surfaced several times before - each time the password number seems to grow larger and larger. Alex Holden appears to be using it to promote his business.
Here's a couple of skeptical opinions on it.
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
https://community.spiceworks.com/topic/557606-scam-of-the-week-for-sale-cybervor-false-sense-of-security
Long story short, Alex Holden is charging people $120 to find out if their account is impacted. The collection of stolen accou
Passwords? (Score:2)
If the database includes both usernames and passwords, it is practically guaranteed that it was stolen from the user's computer by keylogging viruses, etc.. No large email provider would be stupid enough to store actual passwords on their side.
Re: (Score:2)
No large email provider would be stupid enough to store actual passwords on their side.
I, too, want to believe.
Dumpster diving (Score:2)
People do not shred papers or shred with outdated machines. This is how passwords, account numbers, photos, handwriting samples, etc. gets into the underworld.
All this systematically collected and added to large databases. Modern hard disks allow to keep data on the whole population, especially of the first world. Obviously it is an international underworld.
By two-factor, they mean GIVE US YOUR PRIVATE # (Score:3)
>"Amir Efrati, a reporter with The Information, asks: "Industry seems to be failing at convince email users to do 2-step verification. Why not require it?" "
Because not all of us want to give stupid corporations our freaking cell phone number or whatnot. Talk about a MAJOR invasion of privacy. There are things that CAN be done, but forcing an invasive "solution" on people will find at least some of their user base leaving their service.
Some of us really are VERY careful about passwords, not using malware-infected systems, etc. And forcing us to hand over even more private info to companies that ABSOLUTELY WILL spam us with it is a deal-ender.
Re: (Score:1)
Re: (Score:1)
Many people...
The scenario you just gave would be lucky to be relevant to even one person. Monitoring the email address of a target so you can track their cell phone so you can then airstrike them? How many Slashdot readers face this as real threat?
i think "many" is a little bit of any overstatement.