Hold Security announced today that they have recovered 1.17 billion stolen credentials – 272 million of which were unique – from a Russian hacker known as ‘The Collector’. But what’s astounding is the fact that The Collector initially offered to return these credentials for only 50 roubles, the equivalent of about $1.
Hold Security have a zero tolerance policy for giving money to hackers for credentials, and so instead the hacker agreed to receive likes/votes on their social media page (so much for anonymity!) in exchange for the data. When pressed as to why they were accepting so little, The Collector responded “I am just getting rid of it but I won’t do it for free”. It seems that for him or her, the intellectual satisfaction from breaking into these systems is in itself the reward.
Additionally, 42.5 million credentials – 15% of the total – have never been seen before, and are therefore extremely valuable. Even with a conservative estimate of $5 per credential, The Collector’s hoard is still worth over $200 million! Granted, collecting this income is far from easy and can take time, however even a small proportion of it would result in a substantial windfall.
So how were these credentials obtained and where are they from? The cache contained 57 million Mail.ru accounts, but also a sizable number of Yahoo (40 million), Microsoft Hotmail (33 million) and Gmail (24 million) accounts. Hold Security are still working on identifying the breaches from which they were stolen, but the takeaway is that if you have an account with any of these providers it is probably worth changing your password.
It’s fitting that this story breaks on World Password Day – so let this spur you into taking action, whether it’s updating your passwords, using a password manager or turning on multi-factor authentication.
Within several days of communication and after a couple more strategically timed votes on his social media pages, he shared more useful information. At the end, this kid from a small town in Russia collected an incredible 1.17 Billion stolen credentials from numerous breaches that we are still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials – 15% of the total, that we have never seen before.