Russia’s top Internet company, Mail.ru said on Friday a sliver of its users’ email accounts was vulnerable while denying that tens of millions of other users were at risk after researchers found its data circulating among cyber criminals.
The company said in a statement credentials tied to its email accounts appeared to have been stolen from other, unrelated sites such as social networks or e-commmerce sites that ask users to sign up using email addresses like Mail.ru and pick passwords, which most often will not be the same as those for the email accounts.
“The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register,” the Moscow-based company said.
However, the security expert who uncovered what he said were hundreds of millions of hacked usernames and passwords into some of the world’s biggest websites, said Mail.ru’s own analysis suggested that tens of thousands of users were at risk.
Alex Holden, founder of Hold Security, a U.S. firm that specialises in recovering stolen credentials from hackers, told Reuters on Wednesday his researchers had coaxed a young Russian hacker into disclosing the stolen data.
Reuters reported on Wednesday Hold Security’s discovery of 272.3 million stolen credentials globally, including 57 million at Mail.ru and smaller fractions of the email user bases of Google, Yahoo and Microsoft. Mail.ru recently reported 64 million monthly active email users.
In a statement, the Moscow-based company said its own study of sample data provided by Holden had found that 99.982 percent of Mail.ru account credentials on the hit list were invalid. Most had incorrect passwords or used fake email addresses.
But the company acknowledged that 0.018 percent of the usernames and passwords might have worked and said: “We have already notified the affected users to change their passwords.”
A Yahoo spokesperson said the company had obtained a sample of Hold Security’s data and does not believe “there is any significant risk to our users based on the claims shared with the press.”
Thefts of personal information or financial losses can result from hackers breaking into other accounts relying on the same credentials.
Mail.ru said it found that 12.42 percent of the sampling had been marked by its computers as suspicious and blocked.
Holden said he had supplied a randomised sample of data that represents less than one-tenth of the exposed Mail.ru records. He said he was ready to provide Mail.ru the full dataset.
Hackers know users cling to favourite passwords. It is why attackers reuse old passwords found on one account to try to break into other accounts of the same user.
Mail.ru said its experts constantly monitor the web for data dumps to see if Mail.ru account credentials are compromised. It said the “sole purpose” of revealing the possible credential theft was to create media hype and to promote Holden’s business.
Holden, whose firm earns commissions from providing threat intelligence to big companies, said he had spent the past week informing any company whose credentials appeared to have been stolen and was doing it for free.
“We have no claim to this information because we just retrieved it from the hacker and are sharing it with the community,” he said. Hold Security refuses to publish the database of stolen accounts but said it provides specific data to authorised technical staff at the affected firms.