Saturday, May 07, 2016

Don't believe everything you read (or your indicator aggregator tells you!)

If you've been monitoring the story of 270+ million stolen, Google, Yahoo, and Hotmail accounts, you'll know there's still a bit of controversy, but this story is one from the other side of the pond --I'm leaving it in my Analysts's good but still slightly broken English. The point? Don't believe everything thats aggregated and dumped into your defenses. We're still verifying too.

This is a couple of days old and is making its way through the groups, but for the rest, this is yet another great lesson on sourcing quality when it comes to intelligence. What would your company have done if they'd received 270 million personal email accounts? Many of you allow personal accounts to be used --or at a minimum, allow their use from work, or through social networks.

Mistakes and miscommunications sometimes happen, and there's no telling if this was doing damage control, or if it really was a bad source. Either way, the lessons are these... the data is suspect. Know your sources. Know your intel provider. If they're giving you junk, ask for more information.


Initially it was reported that Alex Holden's Hold Security got a database with 1.17 billion records with 272.3 million stolen accounts including Mail Ru, GMail, Yahoo and Hotmail users (1). According to Holden, the cache contained nearly 57 million unique accounts - a big chunk of their 64 million monthly active email users (2). While Yahoo and Google are still investigating, Mail Ru, which allegedly was hit the worst, requested the accounts and reported the result of investigation (3):

Mail Ru says that Holden just grabbed different databases together to attract attention to his business (3). They say 99.982% of Mail Ru accounts they got from Holden were not valid.
While 0.018% were possibly working, – and now notified for password change.

In more detailed breakdown of the numbers Mail Ru says:
  • 22.56% of the Holden's accounts have e-mail addresses that never existed in the first place
  • 64.27% - wrong password
  • also 0.74% had no password at all
  • 12.42% accounts were already blocked as hacked or automatically created (3)

They also believe that some passwords in the database were automatically created during/for brut-forcing attempts (3).

In another breakdown of the data The Inquirer reports that only 15.4% (42/272M) of the accounts are seen leaked for the first time (2) – which means most of the accounts were seen leaked before and possibly were just copied from previous breaches (2).

(3) tass[.]ru/obschestvo/3263688 [in Russian]
and corp.mail[.]ru/en/press/releases/9613


Keeping it short this weekend. Feeling a bit under the weather.

In the mean time, we've reworked some of our reporting processes for a more holistic look at cyber threat --getting to the left of Kill Chain continues to be our mantra. Interested? Drop us a note or give us a call.

Until next time,
Have a great weekend.