The whole world was treated to scare tactics with a well-timed missive from Alex Holden’s Hold Security company. Propagating more Fear, Uncertainty and Doubt in the email industry and its users.
On May 4, 2016, Reuters published the results of Alex Holden’s report that contained information about massive security breach found at major email services. According to Holden, hundreds of millions of usernames and passwords for email accounts were stolen.
An extremely well-executed PR campaign, just in time for World Password Day a story was released exclusively to Reuters. Hundreds of millions of usernames and passwords are available on the internet we learned. 270+ million usernames were at risk of being exploited by criminals who had passwords and could gain access to whatever lay in your inbox and utilise that to access bank accounts and more.
To be fair Alex Holden has uncovered some of the biggest troves of data made available as a result of previous security breaches. He also shared some fairly big red flags which journalists seemed not to notice or chose to overlook. For example, this was supposed to be the single most significant collection of compromised email accounts ever made available, and the asking price was only a dollar, or if you were not prepared to pay, then in exchange for some ‘likes’ on the juvenile who had the data social feed.
Then there was the fact Holden highlighted the fact that he was offered a file of more than 2 billion records and on deduping the file reduced to less than 300 million. Surely that would raise a few questions? Were duplicate user and passwords found or just usernames for example. Important points were not raised and it read like a romanticised tale of the shadowy underworld of the darknet and the good guys fighting a crusade, almost superhero qualities and all at no cost it seemed. No hint of financial motivation on the part of the security company.
Mail.ru asked for some time to verify details, but the security company had provided exclusivity for a specified period, so up against the clock Rueters went to press, and the world media soon after started republishing allegations and urging everyone to reset passwords. Mail.ru had advise every detail thus far shared had been invalid.
It took less than 3 days for independent analysis and verification, 99.9% of Database Entries Holden had supplied were invalid. Mail.Ru Group’s Security Team shared the Analysis with Kaspersky. Mail.ru had the most to lose here, the claim from Reuters was that almost every account they had was compromised.
99.982% of Mail.Ru account credentials found in the database are invalid they stated. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business.
22.56% of the database entries analysed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru (which means that our system considers those either hacked or controlled by a robot) and blocked. Those accounts cannot be accessed by simply entering username and password, as the owner would have to recover access to the account first.
Only 0.018% of username/password combinations in the sample analysed might have worked. We have already notified the affected users to change their passwords.
It is notable that 15% of username/password combinations found in the database contain the same username paired with 9 or more different passwords. Most of those passwords are not real, but generated by fraudsters for brute-force attacks. Such passwords are usually based on the commonly used passwords or on users’ personal data. Data dumps of this kind are also available in the black market and were most likely included in the compiled database to increase the number of entries and make the total number impressive.
Databases containing usernames and passwords of email users are in high demand in the black market.Mail.Ru experts constantly monitor the web for such data dumps and check if Mail.Ru account credentials are valid. If they are, the compromised account is blocked immediately, and its owner has to undergo an account recovery procedure.
“Holden’s report aims to impress by huge numbers, but the real value of the data is very low. According to Holden himself, 99.55% of the username/password combinations are outdated. Our analysis shows that the number of the expired or otherwise invalid combinations is even higher (99.982%). What’s more, we regularly monitor the web for credential dumps and check them to take steps to protect our users when necessary.
Independent experts confirm the conclusions of Mail.Ru Group’s investigation. According to Yuri Namestnikov, Senior Security Researcher at Global Research and Analysis Team, Kaspersky Lab, the database is very likely to have been obtained through some phishing attacks, via sending users phishing emails. This is proved by quite a low quality of the database that contains few working accounts. If the hackers had found vulnerabilities that allowed access to accounts of several email services, both the quality and the price of the database would be higher.