Russian 'Collector' Sells Stolen Email Credentials for a Song


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

A hacker dubbed "The Collector" turned over 272 million stolen email credentials in his possession, Hold Security announced Wednesday.

The hacker bragged online about the stash, which included usernames and passwords, the firm said. It got a copy of the data -- which the hacker was peddling for 50 rubles, or less than US$1 -- after giving him a shout-out in the forum.

"We found a post on one of the Russian dark Web forums from a hacker alleging collecting hundreds of millions of credentials," said Alex Holden, chief information security officer at Hold Security.

"After further private conversations, he shared 1.17 billion records which contained 272 million unique user ID and password pairs," he told the E-Commerce Times.

The company realized the haul was the result of a number of different breaches, especially since 42.5 million, or 15 percent of the credentials, it had never seen on the black market before, Holden said.

Hold Security knows the vectors of the attacks, but most of the data is unattributed and too mixed to identify exactly how all of it was accessed.

The stolen credentials in that group included unencrypted passwords. In addition, most of the credentials were being traded on the black market but not widely shared, Holden said.

Hold Security isn't the only company that may have seen this information. "We make no illusion that this data was only shared with us," he said. "Given the ease with which it was given away, it was likely shared many times by the hacker," who he estimated to be between 18 and 25 years old.

The company is still trying to nail down the exact time frame, but the breaches definitely took place within the past year, it said.

A victim of this type of breach is vulnerable to all forms of activity, as the login credentials can be used to breach additional accounts and gain information about an email client, Holden warned.

"Your user ID and password are like your house keys," he said. "Once you lose a key, it is best to change the locks right away."

Underground dark Web forums operate in some ways similar to traditional social media networks, with hackers posting profile pages and exchanging goods and services to enhance their online reputation, according to Sasha Hellberg, a threat researcher at Trend Micro.

"Forums are made and broken by the number of active users and likes they have," she told the E-Commerce Times. "They link to their friends and their wares, and they promote each other and their capabilities."

Email credentials can be accessed using several methods, including publicly leaked breaches, credential theft botnets, brute-force attacks and phishing, said Cameron Sabel, intelligence analyst at FireEye.

Corporate accounts tend to be the most valuable to hackers as they are often used to breach corporate networks, he told the E-Commerce Times.

More alarmingly, GreatHorn has traced a security breach that may be directly linked to the Russian credential dump, CEO Kevin O'Brien said.

An account belonging to a prominent U.S. venture capitalist began sending a credential-stealing cloud document to GreatHorn and many of its clients, but it was not a spoofed message, had no malware or blacklisted URLs, and bypassed security gateways and made it directly into user inboxes.

"Based on our analysis, we believe this was a result of this attack," O'Brien told the E-Commerce Times. GreatHorn has seen logins to Europe that the attack compromised.

"The clear value of credentials to hackers is that they allow them to not only gain illicit access to the private data of the victims, but also use those same email accounts to move east-west -- that is, to laterally attack other trusted contacts," he said.

"Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers," a Microsoft spokesperson in a statement provided to the E-Commerce Times by company representative Molly Terrell. "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Uber App Update To Track Driver Behavior

    The update also adds notifications designed to promote better driving, like reminders to take breaks and to mount the phone used for the driver app on the dashboard rather than keeping it in-hand.The update coincides with the approach of the Fourth of July in the US, a holiday consistently marred by driving fatalities.
  • 5300c769af79e

    Facetune 2 (for iPhone)

    The company still offers the original Facetune app in the App Store for a $5.It's still a great app, but it lacks some of Facetune 2's coolest features, such as Relight and live face reshaping (more on these in bit).
  • 5300c769af79e

    Unlocked HTC 10 Now Working on Verizon, But There are Prerequisites

    We have attempted to throw an active Verizon SIM into the unlocked model of the HTC 10, but it doesn’t work.This really shouldn’t shock anyone, even though the device features the necessary radios to run on Big Red’s network.
  • 5300c769af79e

    Inside The NBA's Tech Training Revamp

    It hopes to accelerate the adoption of new technologies by educating workers in ways that work best for them.The new group contains a service desk, a desktop group for addressing user technology problems, and a training group.