Millions of email names, passwords hacked in giant data breach, report says

UPDATED, MAY 9, 2016, 11:00 AM PT

More than 250 million email usernames and passwords have been breached and are being used by "Russia's criminal underworld," according to a Reuters report. 

Hold Security's Alex Holden, who reported the data breach, told Reuters that the breach affects many of the email addresses on Russia's popular Mail.ru service, as well as addresses from Google, Yahoo and Microsoft.

Holden said his firm came across a Russian hacker who claimed to have more than 1 billion hacked addresses for sale. In total, after eliminating duplicates, the list included 57 million Mail.ru addresses, 40 million Yahoo addresses, 33 million Hotmail addresses and 24 million Gmail addresses.

"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," Holden told Reuters. 

In addition to those mentioned, there were also thousands of email addresses from German and Chinese email servers included in the lot. 

A Microsoft spokesperson told Mashable, “Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers. Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”

Additionally, a Google spokesperson told Mashable they were unable to comment on specific incidents, but they address abuse as quickly as possible.

The breach is the latest in a string of large-scale incidents. Last year, the data of more than 100 million people was stolen from nine companies, including the Wall Street Journal and J.P. Morgan, the largest-ever such breach in the United States. 

And the U.S. federal government has also been hit by massive breaches lately. One incident, which occurred in 2015, allowed hackers to access the personal data of tens of thousands of workers from the Office of Personnel Management. And earlier this year, another breach involved data from 30,000 employees from the FBI and the Department of Homeland Security (DHS).

UPDATE
A spokesperson for Yahoo told Mashable via email: “Our security team has investigated and we don’t believe there is any significant risk to our users based on the claims shared with the press. We always encourage our users to create strong passwords, or, even better, eliminate use of passwords altogether by using Yahoo Account Key.”

And a spokesperson for Mail.ru told Mashable: "The analysis shows that 99.982% of Mail.Ru account credentials found in the database are invalid. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business."

Have something to add to this story? Share it in the comments.