IT security expert offered 272mn hacked Google, Microsoft, Yahoo passwords for $1


A prominent security expert says he acquired a
database with info for 272.3 million email accounts
from a hacker on a Russian underground forum in
exchange for a nice review.
The stolen IDs contain
data for Gmail, Yahoo Mail and Microsoft email
Alex Holden, a Ukrainian-American who runs the
Hold Security firm, told Reuters that he was
trawling through a Russian hacker forum when he
was offered a database containing 1.17 billion
records for a symbolic sum of 50 rubles – less
than $1. When Holden refused as a matter of
company policy, the owner gave up the data in
exchange for a positive comment on a hacker
“This information is potent. It is floating around in
the underground and this person has shown he’s
willing to give the data away to people who are
nice to him. These credentials can be abused
multiple times,” said Holden, who has previously
exposed details of wide-scale hacks at Target and


Once in possession of the data, Hold Security
eliminated duplicate accounts, paring the data
down to 272.3 million individual records. The
biggest breach appears to be from,
Russia’s biggest email provider, which has 64
million active users. Some 57 million passwords
from that service were in the database.


“An initial study of a random selection of entries
has shown that it contains no valid passwords for
live accounts,” said a statement from,
which received the data trove directly from Holden
without charge. “Also it contains different
passwords for the same email address, suggesting
that the database was compiled from different,
other websites, where the email address was used
as the login.”
“We are continuing to scan through the database,
and as soon as we have more information, we will
warn our users of any security risks,” said the
London Stock Exchange-listed company, which is
valued at over $4 billion.
Microsoft, which had 33 million IDs on the list,
emphasized that its two-step verification process
deters such breaches.
“Microsoft has security measures in place to
detect account compromise and requires
additional information to verify the account owner
and help them regain sole access,” said a
statement from the Seattle giant.
Yahoo, which was featured 40 million times, and
Google, which appeared 24 million times, have not
put out any public statements.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s