A young hacker in Russia was convinced to swap a stolen cache of email and password data in exchange for being praised on a social media site, according to an article on cnet.com.
The account information, which numbered around 272 million credentials, was primarily from accounts on Russia’s largest email provider, Mail.Ru, but also contained account data from Gmail, Yahoo Mail and Microsoft Hotmail accounts.
The Russian hacker originally asked for 50 rubles, the equivalent of $1, for the packet of information, but after negotiating with Hold Security and its chief information officer, Alex Holden, himself a researcher specializing in Eastern European hacking, the youngster provided the data for simply being praised on a members-only hacking forum.
Clearly the hacker did not value the information contained in the exchange, but it could be potentially expensive for those with the hacked accounts that do not change their passwords regularly, or those who use the same password for multiple accounts.
Experts in the field of cyber security say trading hacked information like this are common everyday occurrences and they reveal just how vulnerable our passwords and subsequently our private account data can be. They add these types of breaches can be used to break into a larger number of accounts, and provide phishing opportunities to those so inclined.
“This information is potent,” Holden said. “It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him. These credentials can be abused multiple times.”
This is not the first incidence of hacking that Holden’s firm has uncovered. The company found a cache of 1.2 billion unique records in 2014, that ranks as the largest recovery of stolen accounts in the world. The company monitors cyber threats on forums and chat rooms, while developing profiles on suspected criminals.
Holden adds the company’s policy is to return the stolen data to the firms that have been exposed, at little or no cost, saying, “This is stolen data, which is not ours to sell.”