Stolen email accounts, 90 bucks and some Chinese spam.

In the news over the past couple of days, much has been made of the tens of thousands of stolen email account credentials that have been posted on publicly visible websites. There is no positive indication of how these accounts were obtained or really even whether they were obtained as a result of one single activity (such as a phishing or keylogging endeavour) or whether they are simply a collected list of stolen details.


So far details from Yahoo!, Hotmail, Gmail, AOL, Earthlink and Comcast among others have been posted online. The data has been simple lists of matched username and password pairs and did not appear to have been cleaned up or de-duped.


What is surprising is not really the amount of accounts affected, although current media reports may lead you to think otherwise. It is only the fact that so many were exposed publicly that is surprising. There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story. These accounts are valuable to scammers as emails coming from people you know and have in your address books are far more likely to be trusted and far less likely to end up in a spam folder. In what may or may not be a concidence, here is some spam I received from an email account belonging to a friend of mine just one day after this story broke.




Anyway, I thought I would go and have a quick look at just how much that account data was actually worth, I think you’ll be surprised. Using the current prices of one single vendor who has multiple tens of thousands of stolen accounts for sale, we can estimate the value of 10,000 hotmail account credentials at a measly $90 (US Dollars), that is of course applying the 10% discount that the vendor is offering for purchases of over 10k accounts.

Prices as at 7th October 2009

Prices as at 7th October 2009



This is not a “massive phishing campaign” it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths.


If you have an email account and you are in the slightest bit unsure of things, why not go and change your password, after all, you do that regularly anyway don’t you?


If you want some free tools to help protect you in the future, then have a rummage around here

6 thoughts on “Stolen email accounts, 90 bucks and some Chinese spam.

  1. Pingback: Helix-E NSA » Test for compromised email accounts

  2. Pingback: Test für eventuell gehackte Hotmail,Yahoo oder Googleaccounts - eByteNet - Der Blog

  3. Pingback: Comprueba si tu cuenta de email está entre las 10.000 robadas hace 2 semanas | Marketing en Internet

  4. Pingback: Test za ugrožene račune | Programer

  5. Pingback: 1 Cent « Erich sieht

  6. Jesus Alvarez

    After almost having being duped by a phoney email from PayPal warning me about suspicious activity, I now don’t know what’s real and what’s fake.

    This morning I received a very real looking email “offer” from Symantec for a FREE Norton Internet Security upgrade. I went to the Symantec site and found no similar offer. When I Googled the same wording, nothing came up as a free offer.

    The email I received had my name on it but the sender was Norton from Symantec / Symantec[at]reply[dot]digitalriver[dot]com

    The [at] reply part before the name made me think it could be a fake site.

    There was a time when a fake/phishing email could be easily spotted. I think those days are over.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.