A massive hack has resulted in the theft of usernames and passwords for email accounts and other websites, which are now on sale in Russia. This includes users of Google, Yahoo, and Microsoft emails, as well as Russia’s Mail.ru service, and stands as one of the largest credential thefts since cyber attacks could even exist.

According to Reuters, a Russian hacker nicknamed “The Collector” posted in an online forum about stealing the credentials, and is selling them all for a mere 50 roubles – which comes out to less than one American dollar. Apparently the hacker’s goal was not to make a profit, but instead to earn bragging rights, prove a point, or just to show he could.

In spite of the small price tag, the data within is incredible valuable. Just gaining access to a person’s email address gives someone access to a huge part of their life, and people often use the same password across multiple websites, so anyone who uses the same or similar passwords connected to their email may find their accounts on several sites at risk.

According to Alex Holden, founder and chief information security officer of Hold Security: “This information is potent. It is floating around in the underground and this person has shown he’s willing to give the data away to people who are nice to him.”

What was stolen?

Overall, about 272 million unique IDs were stolen. The majority of the accounts and passwords – around 57 million of them – come from Mail.ru, which has stated its intention to check the username/password combinations and contact affected users. Microsoft, which saw as many as 33 million Hotmail accounts stolen in this breach, has stated that it has security measures in place to protect against accounts being compromised.

Meanwhile, about 40 million of the stolen credentials come from Yahoo Mail accounts. Another 24 million were from Gmail. Thousands of other stolen usernames and passwords are not connected to an email account, but belong to employees of large U.S. companies, particularly those involved in banking, manufacturing, and retail.

What should you do?

If you’re worried that your account has been compromised, there are a few steps you can take. The first is to check haveibeenpwned.com, which allows you to search across a history of data breaches to see if your email addresses are okay or compromised.

If you have been compromised, or fear you have been, begin changing your passwords immediately. Make sure there’s a form of two-step authentication in place, or anything else to prevent email access from unrecognized devices, and change any identical or similar passwords you may use on multiple sites. Two-step authentication can typically be easily set up through the website’s Security settings, but you can find information on how to set it up and what sites to use it for here.

As Holden warns: “These credentials can be abused multiple times.” That means anything connected to a compromised email is at risk as well, and after a hack this big, we all need to be careful.

photo credit: No way home via photopin (license)