14 DAY TRIAL // A Russian hacker nicknamed "The Collector" is selling a stash of 1.17 billion stolen email addresses, some of which come with login credentials, for only 50 Rubles, which is approximately 76 US cents.
In a blog post today, Hold Security reveals how they found the data traded on Russian underground hacking forums.
As it was expected, the data, weighing around 10GB in size, contained a lot of duplicates. Hold Security experts claim that of the 1.17 billion email addresses, only 272 million credentials turned out to be unique, with 42.5 million credentials being email addresses the company has never seen before.
Millions of Gmail, Yahoo, and Hotmail accounts and credentials
Of these, the security firm says that 57 million were Mail.ru accounts. The Russian email service was boasting last year of having 64 million monthly active users.
Researchers also found 40 million Yahoo email accounts, 33 million Hotmail accounts, and 24 million Gmail accounts. Additionally, email accounts from local emailing services in Germany and China were also uncovered.
The company revealed that 917 million of these accounts also included login credentials. Hold Security said that most of these account and password combos were heavily reused.
"Out of 80 million credentials starting with the letter “A” only 19 million unique credential pairs are found. It is not unusual that most people still reuse credentials across different services, but nearly a 75% overlap is substantial," Hold Security blogged today.
Hold Security previously uncovered a bigger data trove
But the problem of password reuse is not new, and neither are Hold Security's findings. The company also discovered 360 million credentials and 1.25 billion email addresses back in February 2014.
That stash included emails and credentials stolen from Adobe and Cupid Media, and it helped the company's researchers uncover other data breaches. Once again, Hold Security experts say they'll investigate the data and contact any company they think might have suffered a data breach.
A Hold Security spokesperson revealed that only in April 2016, the company detected over 120 million stolen records traded on the Dark Web, and that they regularly see 100 million of such records on average every month of the year.