Skip to content
Naked Security Naked Security

“More than 250 million email accounts breached” – but how bad is it really?

An American cyberinvestigation company claims to have acquired more than 250 million email accounts via the criminal underground

Reuters just broke a story about a password breach said to affect more than 250 million webmail accounts around the world.

The claims come from an American cyberinvestigation company that has reported on giant data breaches before: Hold Security.

The company’s founder, Alex Holden, reportedly told Reuters that:

The discovery of 272.3 million stolen accounts included a majority of users of, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users.

The database supposedly contained “credentials,” or what Reuters referred to as “usernames and passwords,” implying that the breached data might very well let crooks right into the affected accounts without further hacking or cracking.

Stolen email accounts are extremely useful to cybercriminals.

For example, they can read your messages before you do, putting them in a powerful position to scam your friends, family, debtors or creditors out of money by giving believable instructions to redirect payments to bogus bank accounts.

They can learn a raft of important personal details about your life, making it much easier for them to defraud you by taking out loans in your name.

Worst of all, they may be able to trigger password resets on your other online accounts, intercept the emails that come back, and take over those accounts as well.

How bad is it?

Unfortunately, we can’t yet tell you how serious this alleged breach really is.

The good news, straight off the bat, is that the figure of “272.3 million stolen accounts” is some three or four times bigger than reality.

Many of the accounts were repeated several times in the database, with Holden admitting that, after de-duplication, only 57,000,000 accounts remained, plus “tens of millions of credentials” for Google, Yahoo and Microsoft accounts.

More good news is that if the stolen data really does include the actual passwords used by the account holders, it’s highly unlikely – in fact, it’s as good as impossible – that the database came from security breaches at any of the webmail providers listed.

Properly-run web services never store your actual password, because they don’t need to; instead, they store a cryptographic value known as a hash that can be computed from your password.

💡 LEARN MORE: How to store your users’ passwords safely ►

The idea is that if even if crooks manage to steal the whole password database, they can’t just read the passwords out of it.

Instead, they have to guess repeatedly at each password, and compute the hash of each guess in turn, until they get a match.

Poorly chosen passwords can still be cracked, because the crooks try the most likely guesses first.

But a reasonably complex password (something along the lines of IByoU/nvr/GE55, short for I bet you never guess) will take so long to turn up in the criminals’ “guess list” that it becomes as good as uncrackable, especially if you change your password soon after hearing about a breach.

If the passwords in this case are real, it seems likely that they were stolen directly from users as they typed them in, for example by means of malware known as a keylogger that covertly keeps track of your keystrokes.

The best news of all is that, according to Reuters, has said its early investigations revealed “no live combinations of usernames and passwords which match existing emails.”

If that turns out to be true in general, it’s a reasonable guess that the stolen data is either out-of-date or concocted.

Wherever it was that the data came from, the crooks who are selling it online don’t seem very confident in its accuracy.

Holden was originally asked by the seller to pay just RUB50 (less than $1) for the whole lot, and in the end paid no money at all: he was apparently given it in return for leaving a positive review of the “seller” on an underground forum.

What to do?

A good next step is to head over to the password advice we just published to celebrate #PasswordDay, which serendipitously takes place today.

💡 LEARN MORE: Advice for #PasswordDay ►

In this case:

  • Change your passwords if you suspect that they may have been stolen, for example if you’ve experienced a malware infection recently.
  • Change your passwords if you have any accounts that share the same password, and DON’T DO THAT AGAIN.
  • Consider using two-factor authentication (also called two-step verification) on any accounts that offer it.

Two-factor authentication (2FA) usually works by asking you to type in a special code every time you login, in addition to your regular password.

That code might be sent to you via SMS, or generated by a dedicated app on your phone, and it’s different every time, so your password alone just isn’t enough to access the account.

Generally speaking, 2FA is a minor hassle to use, but a major obstacle for the crooks, so we recommend it.


(Audio player not working? Download MP3 or listen on Soundcloud.)


“”Properly-run web services never store your actual password”

Paul, do you know which vendors do this? We’d love to say “Yahoo/Google/Facebook/Target” is big enough to devote proper resources to it…but at least one of those “big enough to know better” entities has proven otherwise in the past–hopefully while resolving to improve.

Maybe a list of top vendors verified by a security researcher (maybe you’ve done this yourself)?


Adobe is a famous case of a company that joined the 100,000,000 club and yet didn’t hash passwords (it did encrypt them, but without any salt so every “password” or “123456” came out the same).

Some sites state what process they use to store password verification data (e.g, PBKDF2 with HMAC-SHA256 and 20,000 iterations). Others don’t. A “try to find out” article might be fun…but it might also take a lonnnnnnnnng time to do :-(


thought I replied last week–I do occasionally fail to hit ‘post’ or ‘send’

‘A “try to find out” article might be fun…but it might also take a lonnnnnnnnng time’

You’re clearly the man for the job, double-oh-seven. I vow to wait as patiently and quietly as I can if you promise us it sits on the back burner and never falls behind the stove.


It’s worth noting that Microsoft – for whatever reason – restricts passwords to between 8 and 16 characters. So that substainally reduces the attack space and guesses required to crack a Microsoft email password offline; encryption algorithm and salt notwithstanding. You know in advance how short or long the password must be.

Looking further into it there are also some disallowed characters and phrases. The following rule is also in affect: “Passwords must have at least 8 characters and contain at least two of the following: uppercase letters, lowercase letters, numbers, and symbols.”
Plugging in the length, complexity and character requirements narrows the attack space even further…


Google also has a 16-character limit in Android. No idea why.

OTOH, a reasonably well-chosen 16-character password, even one that is forced into the pattern you mention, still comes from a search space that is truly enormous.

In other words, 16-character limits or not, I still hold the opinion that an underground database with many millions of Microsoft and Google webmail passwords in it [a] didn’t come directly from Microsoft or Google (I’m taking “the passwords weren’t stored in plaintext” as a fact) and [b] almost certainly didn’t come from an otherwise-undocumented breach of hashes stored by Microsoft or Google, followed by a massively successful cracking session.

I’m guessing as I did in the article: acquired by other means, or concocted.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!