Mail.Ru Group’s Information security specialists have studied the sample of data received from Alex Holden. The analysis shows that 99.982% of Mail.Ru account credentials found in the database are invalid. The database is most likely a compilation of a few old data dumps collected by hacking web services where people used their email address to register. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cyber security business.
22.56% of the database entries analyzed contain email addresses that do not even exist, 64.27% contain wrong passwords, and some of the entries (0.74%) have no passwords whatsoever. The 12.42% remaining accounts had already been marked as suspicious by Mail.Ru (which means that our system considers those either hacked or controlled by a robot) and blocked. Those accounts cannot be accessed by simply entering username and password, as the owner would have to recover access to the account first.
Only 0.018% of username/password combinations in the sample analyzed might have worked. We have already notified the affected users to change their passwords.
It is notable that 15% of username/password combinations found in the database contain the same username paired with 9 or more different passwords. Most of those passwords are not real, but generated by fraudsters for brute-force attacks. Such passwords are usually based on the commonly used passwords or on users’ personal data. Data dumps of this kind are also available in the black market and were most likely included in the compiled database to increase the number of entries and make the total number impressive.
Databases containing usernames and passwords of email users are in high demand in the black market. As a rule, big email providers are well protected from cyber attacks, therefore such databases are usually compiled by hacking minor websites (like forums, small online stores, or torrent sites) where people use their email address as a username, and can also set the password they’ve already been using for their email accounts. Mail.Ru experts constantly monitor the web for such data dumps and check if Mail.Ru account credentials are valid. If they are, the compromised account is blocked immediately, and its owner has to undergo theaccount recovery procedure.
“Holden’s report aims to impress by huge numbers, but the real value of the data is very low. According to Holden himself, 99.55% of the username/password combinations are outdated. Our analysis shows that the number of the expired or otherwise invalid combinations is even higher (99.982%). What’s more, we regularly monitor the web for credential dumps and check them in order to take steps to protect our users when necessary. Therefore, it is fair to assume that the sole purpose of issuing the report was to create media hype and draw the public attention to Holden’s cybersecurity business. The number of Mail.Ru accounts in the database is large due to the fact that Holden has acquired the database from a Russian ‘hacker’, and Mail.Ru is the biggest email provider in Russia and theRussian-speakingInternetsegment,” says Anna Artamonova, Vice-President of Mail.Ru Group, Head of Email and Portal business unit. “We take a very serious approach to ensure our users’ security, and we take special pride in our information security team. It’s sad that this case casts a shadow over their image.”
Independent experts confirm the conclusions of Mail.Ru Group’s investigation. According to Yuri Namestnikov, Senior Security Researcher at Global Research and Analysis Team, Kaspersky Lab, the database is very likely to have been obtained through a number of phishing attacks, via sending users phishing emails. This is proved by quite a low quality of the database that contains few working accounts. If the hackers had really found vulnerabilities that allowed access to accounts of several email services, both the quality and the price of the database would be higher.
We’ve been continuously enhancing the security system of Mail.Ru email service. Last year we launched a two-factor authentication, which we strongly recommend all our users to set up, as it is one of the most effective ways to protect an email account. The list of security features we have introduced over the past years includes switching Mail.Ru email and portal to HTTPS by default, content security policy, separation of user sessions and many others. We also no longer offer new users a security question as a password recovery method. Mail.Ru email was the first Mail.Ru Group’s service that launches a bug bounty program based on HackerOne international platform. The company also works hard to warn users about common internet threats such as viruses, phishing and social engineering, and to educate them on the ways to protect themselves from those security threats.
On May 4 2016, Reuters published the results of Alex Holden’s report that contained information about massive security breach found at major email services. According to Holden, hundreds of millions of user names and passwords for email accounts were stolen.