We found out that the collection of username/password combinations Alex Holden had turned up contains some logins of Mail.Ru's users. We have already contacted Alex Holden and got a sample of data. Early analysis shows that many username/password combinations contain the same username paired with different passwords. It means that the base is compiled from different sources, where people used email addresses as their usernames. We are now checking whether any username/password combinations match valid login information for our email service, and as soon as we have enough information we will warn the users that might have been affected. The first check of a sample of data showed that it does not contain any combinations valid for email.
We’ve been continuously enhancing the security system of Mail.Ru email service. Last year we launched a two-factor authentication which we strongly recommend all our users to set up, as it is one of the most effective ways to protect an email account. The list of security features we have introduced over the past years includes switching Mail.Ru email and portal to HTTPS by default, content security policy, separation of user sessions and many others. Also we no longer offer new users a security question as a password recovery method. We also work very hard to warn our users about common internet threats such as viruses, phishing and social engineering, and to educate them on the ways to protect themselves from those security threats.