“More than 250 million email accounts breached” – but how bad is it really?

Reuters just broke a story about a password breach said to affect more than 250 million webmail accounts around the world.

The claims come from an American cyberinvestigation company that has reported on giant data breaches before: Hold Security.

The company’s founder, Alex Holden, reportedly told Reuters that:

The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users.

The database supposedly contained “credentials,” or what Reuters referred to as “usernames and passwords,” implying that the breached data might very well let crooks right into the affected accounts without further hacking or cracking.

Stolen email accounts are extremely useful to cybercriminals.

For example, they can read your messages before you do, putting them in a powerful position to scam your friends, family, debtors or creditors out of money by giving believable instructions to redirect payments to bogus bank accounts.

They can learn a raft of important personal details about your life, making it much easier for them to defraud you by taking out loans in your name.

Worst of all, they may be able to trigger password resets on your other online accounts, intercept the emails that come back, and take over those accounts as well.

How bad is it?

Unfortunately, we can’t yet tell you how serious this alleged breach really is.

The good news, straight off the bat, is that the figure of “272.3 million stolen accounts” is some three or four times bigger than reality.

Many of the accounts were repeated several times in the database, with Holden admitting that, after de-duplication, only 57,000,000 Mail.ru accounts remained, plus “tens of millions of credentials” for Google, Yahoo and Microsoft accounts.

More good news is that if the stolen data really does include the actual passwords used by the account holders, it’s highly unlikely – in fact, it’s as good as impossible – that the database came from security breaches at any of the webmail providers listed.

Properly-run web services never store your actual password, because they don’t need to; instead, they store a cryptographic value known as a hash that can be computed from your password.

The idea is that if even if crooks manage to steal the whole password database, they can’t just read the passwords out of it.

Instead, they have to guess repeatedly at each password, and compute the hash of each guess in turn, until they get a match.

Poorly chosen passwords can still be cracked, because the crooks try the most likely guesses first.

But a reasonably complex password (something along the lines of IByoU/nvr/GE55, short for I bet you never guess) will take so long to turn up in the criminals’ “guess list” that it becomes as good as uncrackable, especially if you change your password soon after hearing about a breach.

If the passwords in this case are real, it seems likely that they were stolen directly from users as they typed them in, for example by means of malware known as a keylogger that covertly keeps track of your keystrokes.

The best news of all is that Mail.ru, according to Reuters, has said its early investigations revealed “no live combinations of usernames and passwords which match existing emails.”

If that turns out to be true in general, it’s a reasonable guess that the stolen data is either out-of-date or concocted.

Wherever it was that the data came from, the crooks who are selling it online don’t seem very confident in its accuracy.

Holden was originally asked by the seller to pay just RUB50 (less than $1) for the whole lot, and in the end paid no money at all: he was apparently given it in return for leaving a positive review of the “seller” on an underground forum.

What to do?

A good next step is to head over to the password advice we just published to celebrate #PasswordDay, which serendipitously takes place today.

In this case:

  • Change your passwords if you suspect that they may have been stolen, for example if you’ve experienced a malware infection recently.
  • Change your passwords if you have any accounts that share the same password, and DON’T DO THAT AGAIN.
  • Consider using two-factor authentication (also called two-step verification) on any accounts that offer it.

Two-factor authentication (2FA) usually works by asking you to type in a special code every time you login, in addition to your regular password.

That code might be sent to you via SMS, or generated by a dedicated app on your phone, and it’s different every time, so your password alone just isn’t enough to access the account.

Generally speaking, 2FA is a minor hassle to use, but a major obstacle for the crooks, so we recommend it.

LEARN MORE ABOUT 2FA

(Audio player not working? Download MP3 or listen on Soundcloud.)