Russian ‘Collector’ Sells Stolen Email Credentials for a Song

A hacker dubbed “The Collector” turned over 272 million stolen email credentials in his possession, Hold Security announced Wednesday.

The hacker bragged online about the stash, which included usernames and passwords, the firm said. It got a copy of the data — which the hacker was peddling for 50 rubles, or less than US$1 — after giving him a shout-out in the forum.

“We found a post on one of the Russian dark Web forums from a hacker alleging collecting hundreds of millions of credentials,” said Alex Holden, chief information security officer at Hold Security.

“After further private conversations, he shared 1.17 billion records which contained 272 million unique user ID and password pairs,” he told the E-Commerce Times.

Multiple Breaches

The company realized the haul was the result of a number of different breaches, especially since 42.5 million, or 15 percent of the credentials, it had never seen on the black market before, Holden said.

Hold Security knows the vectors of the attacks, but most of the data is unattributed and too mixed to identify exactly how all of it was accessed.

The stolen credentials in that group included unencrypted passwords. In addition, most of the credentials were being traded on the black market but not widely shared, Holden said.

Hold Security isn’t the only company that may have seen this information. “We make no illusion that this data was only shared with us,” he said. “Given the ease with which it was given away, it was likely shared many times by the hacker,” who he estimated to be between 18 and 25 years old.

The breached data included 57 million accounts, 40 million Yahoo accounts, 33 million Hotmail accounts and 24 million Gmail accounts.

The company is still trying to nail down the exact time frame, but the breaches definitely took place within the past year, it said.

A victim of this type of breach is vulnerable to all forms of activity, as the login credentials can be used to breach additional accounts and gain information about an email client, Holden warned.

“Your user ID and password are like your house keys,” he said. “Once you lose a key, it is best to change the locks right away.”

Underground Exchange

Underground dark Web forums operate in some ways similar to traditional social media networks, with hackers posting profile pages and exchanging goods and services to enhance their online reputation, according to Sasha Hellberg, a threat researcher at Trend Micro.

“Forums are made and broken by the number of active users and likes they have,” she told the E-Commerce Times. “They link to their friends and their wares, and they promote each other and their capabilities.”

Email credentials can be accessed using several methods, including publicly leaked breaches, credential theft botnets, brute-force attacks and phishing, said Cameron Sabel, intelligence analyst atFireEye.

Corporate accounts tend to be the most valuable to hackers as they are often used to breach corporate networks, he told the E-Commerce Times.

Secondary Breach?

More alarmingly,GreatHorn has traced a security breach that may be directly linked to the Russian credential dump, CEO Kevin O’Brien said.

An account belonging to a prominent U.S. venture capitalist began sending a credential-stealing cloud document to GreatHorn and many of its clients, but it was not a spoofed message, had no malware or blacklisted URLs, and bypassed security gateways and made it directly into user inboxes.

“Based on our analysis, we believe this was a result of this attack,” O’Brien told the E-Commerce Times. GreatHorn has seen logins to Europe that the attack compromised.

“The clear value of credentials to hackers is that they allow them to not only gain illicit access to the private data of the victims, but also use those same email accounts to move east-west — that is, to laterally attack other trusted contacts,” he said.

“Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers,” a Microsoft spokesperson in a statement provided to the E-Commerce Times by company representative Molly Terrell. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels