Cache of Google, Microsoft, and Yahoo email credentials obtained by Hold Security needs to be verified, claims Have I been pwned founder
Experts have claimed that the security risk from a huge database of email credentials obtained by Hold Security from a hacker this week has been overblown, and that the data breach is not what it is purported to be at all.
Last night, cybersecurity firm Hold Security revealed that it had managed to obtain 272 million stolen email credentials from a Russian hacker on an online forum.
The email credentials contained login details and passwords from Mail.ru, Gmail, Hotmail, and Yahoo accounts.
But as experts moved to verify whether the data breach poses a risk to those users, some threw doubt on whether Hold Security’s find was even a discovery of a breach in the first place.
“There are a huge number of data breaches floating around the web at any time, often being sold or traded. However many of them are not what they’re purported to be; they’re often aggregated from multiple sources and are frequently highly inaccurate,” security expert Troy Hunt told TechWeekEurope.
Hunt is the founder of data breach repository Have I Been Pwned, and said that in this instance, there is most likely not a breach.
“It’s almost certainly not a breach of Gmail or Outlook and at best it’s a collection of accounts obtained by phishing attacks or combining other publicly known breaches,” he said.
“I often come across very large breaches that are represented as something they’re not. I’m presently verifying an incident with tens of millions of accounts which is very likely not what it’s stated as being.”
Hold Security itself admitted that the haul is a “letdown” in terms of providing new credentials that may pose a risk to email users.
“Only 1 out of 200 credentials are ones we have never seen before,” said the company in a blog posted yesterday.
“Is it disappointing? Of course, but more importantly, we know that most of the stolen data has already been identified and many companies and individuals are already secured.”
Ultimately, Hold Security claims that out of the 272 million credentials obtained from the Russian hacker, just 42.5 million are credentials that the company hasn’t seen before.
“Those are being processed and distributed to companies and individuals who can secure their systems against abuse,” Hold Security said.
Hunt emphasised to TechWeekEurope the need for proper verification before rushing to conclusions.
“Verification takes time but it’s enormously important as a breach being represented as coming from a particular company can have serious ramifications for their reputation,” he said.
A spokesperson for Mail.ru, Russia’s largest email service provider and the company hit worst by the alleged breach, said that there is no evidence that the email and password combinations shown to it by Hold Security actually work.
Google, Microsoft, and Yahoo have yet to respond to TechWeekEurope’s request for comment.