igor - Fotolia

More than a million Gmail and Yahoo account credentials on sale

Usernames, email addresses and plaintext passwords of more than a million Yahoo and Gmail accounts are reportedly on sale on the dark web, posing a threat to corporate security

Login credentials and other personal information linked to more than a million Gmail and Yahoo accounts is reportedly being offered for sale in a dark web marketplace.

The dark web, like the deep web, is not indexed by search engines such as Google, but typically requires specific software, configurations or authorisation to access it.

Dark web marketplaces typically trade in illegal goods and services, and have become a popular means of trading user data stolen from large companies offering online services.

A seller using the handle “SunTzu583” is reportedly selling 100,000 Yahoo accounts, from the 2012 Last.fm data breach in which 43 million accounts were compromised, for 0.0079 bitcoins ($10.75).

Another 145,000 Yahoo accounts from the 2013 Adobe breach of 153 million accounts and the 2008 MySpace compromise of 360 million accounts are on offer for 0.0102 bitcoins ($13.75), according to a report by HackRead.

SunTzu583 is also reportedly selling 500,000 Gmail accounts for 0.0219 bitcoins ($28.24). The accounts allegedly come from the 2008 MySpace hack, the 2013 Tumblr breach and the 2014 Bitcoin Security Forum breach.

Another 450,000 Gmail accounts were also listed on sale for 0.0199 bitcoins ($25.74) from other data breaches that took place between 2010 and 2016, including the Dropbox, the Adobe and other breaches.

The data on sale by SunTzu583 has reportedly been checked by matching it to data on data breach notification platforms, including HaveIBeenPwned.

Stolen credentials are one of the biggest threats to enterprise security, according to penetration testers, because many people still use the same password for work systems and personal online accounts.

Read more about data breaches

  • Mossack Fonseca breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker.
  • Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
  • The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
  • Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.

Using automation tools, attackers are able to try email address, username and password combinations against corporate IT systems. Any match enables them to log in to corporate networks as an authorised user and to look for data assets undetected by most security controls.

Many businesses are still failing to implement two-factor authentication and require password changes, despite the fact that this would eliminate of the biggest security risks. 

According to a June 2016 report by mobile identity firm TeleSign, 73% of online accounts are guarded by duplicate passwords and 54% of consumers use five or fewer passwords for all their online accounts. The report also said 47% of online account holders rely on a password that has not been changed for five years.

Security advisors recommend the use of a password manager to generate, store and change regularly strong, unique passwords for all accounts. ... ...

Read more on Privacy and data protection