A single hacker from a small town in Russia compiled a whopping 272 million unique stolen email addresses and passwords, researchers say.
A strange recent transaction with a young Russian hacker left the security research firm Hold Security and the Russian with an enormous trove of compromised email addresses and passwords, the firm says.
It started when Tanya Tabakar, an analyst at cybersecurity firm Hold Security, found a post on a Russian-language dark net forum—the type where stolen data and credentials, often sometimes old and repackaged, are often bought and sold. The hacker insisted on being paid for the account information—even though he only charged 50 rubles ($0.75). “I am just getting rid of it but I won’t do it for free,” he said, as Tabakar wrote. After she told him ethically couldn’t pay, he eventually agreed to trade the information for a like on his page on the popular Russian social media site VK.
“Honestly, it’s the first time I personally saw such a big amount of data,” Tabakar told Vocativ. Estimates vary on just how much personal data is traded on such forums, though it’s undeniably huge. Previous studies estimate about half of Americans are hacked in some form each year. Email accounts that don’t enable two-factor authentication—registering a phone number, for example, which must be verified before a user can change their password—are at far greater risk.
Tabakar was able to glean precious little about the hacker, and how he was able to acquire that information. A resident of a small town in rural Russia, he didn’t fit the mold of a criminal mastermind. “He’s a real young person and he was very friendly,” Tabakar said. The fact that he possessed such data doesn’t mean he was the first to acquire or even to compile it—it’s just noteworthy that such a person was in possession of it, and could share it for next to nothing.
“He has a lot of friends all over the world [on VK],” she said. “Hackers like him play a lot of online games and that’s how they meet people and talk to people.”
The actual number of accounts the hacker sent her was nearly a billion addresses—917 million—but some of those were duplicates, and far more weren’t original, and existed in previous known data dumps from other hackers. Still, that left 272 million unique ones. More half of those came from popular email services like Yahoo, Gmail and AOL. Russian mail site mail.ru was the hardest hit, with more than 56 million accounts compromised.