Gmail logo AA

Troubling news for Gmail and other online email account users has emerged today, as a team of security researchers has reported that hundreds of millions usernames and passwords are being exchanged and traded online. This discovery is one of the largest since cyber attacks hit major US banks and retailers two years ago.

According to Alex Holden, chief information security officer at Hold Security, details of 272.3 million accounts have been compromised. The breach mainly affects users of Russia’s very popular Mail.ru service, but also includes a notable number of Gmail, Yahoo, and Microsoft email customers as well. The security company reckons that leak contains details about a worrying 57 million of the 64 million Mail.ru monthly users, while also leaving some tens of millions of Gmail, Ymail, Hotmail, and other customers exposed as well. For the exact numbers, 40 million unique accounts belonged to Yahoo customers, 33 million were Hotmail, and 24 million came from Gmail.

What’s perhaps even more distressing is that the discovery was only uncovered after a young Russian hacker was found bragging about his accomplishments in an online forum, where he was selling some 1.17 billion records. The hacker was selling the usernames and passwords to accounts for just 50 rubles, approximately $1, each and gave the data over to Holden’s team in exchange for favorable online comments.

“Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access” – Microsoft

Hold Security has not disclosed if it knows how this huge amount of data was collected, but the company began informing affected companies about the breach 10 days ago. Mail.ru and Microsoft have officially acknowledged the issue, but Yahoo and Google have not responded to requests for comments yet. We don’t know how many of these exposed details are still active, and fortunately Mail.ru reports that no initial details that it has seen match any active username and password combinations.

In addition to the huge number of email details exposed, security experts are equally concerned about the risks to users’ other accounts as well. Many people, myself included, use the same or a small selection of passwords across numerous services, which makes the sale of passwords particularly problematic, as it might expose user login details to any number of accounts associated with an email address.

See also:
Are you using one of 2015’s worst passwords?

Are you using one of 2015’s worst passwords?

January 20, 2016

If you are concerned that your account may have been exposed, there are a number of steps you can take to help protect yourself. First, go in and change your password to something new, preferably a strong combination of numbers and letters. If you want strong security without having to remember lots of different passwords, a password manager service can offer protection from this kind of hack. Secondly, check for backup email addresses associated with your account and remove any that you don’t own, that way hackers can’t simply change your password back. Most email services, Gmail included, offer two step authentication for accounts as well, which you should enable. This helps to protect account access by requiring confirmation of any new access on a device that you already own, such as your smartphone.

Attacks of this kind are rare, but unfortunately they do occur. Best to keep your online accounts safe by using unique, secure passwords across all of your different accounts.

Robert Triggs
Lead Technical Writer at Android Authority, covering the latest trends in consumer electronics and hardware. In his spare moments, you'll probably find him tinkering with audio electronics and programming.