Gmail, Hotmail and Ymail account details openly traded by Russian mafia

Treasure trove of email account user names and passwords being traded across Russian criminal underworld

The details of almost 300 million Hotmail, Gmail, Yahoo Mail and other email accounts are being freely traded by Russian criminals, according to Alex Holden, founder and chief information security officer of Hold Security.

Holden was the man who last year uncovered the largest data breach to date. He claims to have found the details of 272.3 million stolen accounts being traded across the Russian criminal underworld.

And it is Russians who are most likely to be targeted, too. Russia's own Mail.ru email service accounts for the majority of hacked accounts at 57 million, but a large number also belong to Gmail, Hotmail and Yahoo Mail users.

Yahoo Mail credentials totalled 40 million, or 15 per cent of the haul, Hotmail accounted for 33 million, or 12 per cent, while 24 million, or nine per cent, belonged to Gmail account holder.

It wasn't just email accounts that were targeted, according to Reuters, with Holden also discovering thousands of other stolen username and password combinations that appear to belong to employees of some of the largest US banking, manufacturing and retail companies.

Holden stumbled on the discovery after he saw a young Russian hacker - since nicknamed "The Collector" - bragging about the information haul in an online forum. He was asking for just 50 rubles - less than $1 - for the lot, but Holden was given the information for free after he said he'd big up the hacker online.

"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden. "These credentials can be abused multiple times," he said.

Mail.ru spokeswoman Madina Tayupova told Reuters: "We are now checking whether any combinations of usernames/passwords match users' emails and are still active.

"As soon as we have enough information we will warn the users who might have been affected," she said, adding that Mail.ru's initial checks found no live combinations of usernames and passwords that match existing emails.

A Microsoft spokesman said: "Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access."

Google and Yahoo are yet to comment. We'll update this article when we hear more.