In the news over the past couple of days, much has been made of the tens of thousands of stolen email account credentials that have been posted on publicly visible websites. There is no positive indication of how these accounts were obtained or really even whether they were obtained as a result of one single activity (such as a phishing or keylogging endeavour) or whether they are simply a collected list of stolen details.
So far details from Yahoo!, Hotmail, Gmail, AOL, Earthlink and Comcast among others have been posted online. The data has been simple lists of matched username and password pairs and did not appear to have been cleaned up or de-duped.
What is surprising is not really the amount of accounts affected, although current media reports may lead you to think otherwise. It is only the fact that so many were exposed publicly that is surprising. There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story. These accounts are valuable to scammers as emails coming from people you know and have in your address books are far more likely to be trusted and far less likely to end up in a spam folder. In what may or may not be a concidence, here is some spam I received from an email account belonging to a friend of mine just one day after this story broke.
Anyway, I thought I would go and have a quick look at just how much that account data was actually worth, I think you’ll be surprised. Using the current prices of one single vendor who has multiple tens of thousands of stolen accounts for sale, we can estimate the value of 10,000 hotmail account credentials at a measly $90 (US Dollars), that is of course applying the 10% discount that the vendor is offering for purchases of over 10k accounts.
This is not a “massive phishing campaign” it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths.
If you have an email account and you are in the slightest bit unsure of things, why not go and change your password, after all, you do that regularly anyway don’t you?
If you want some free tools to help protect you in the future, then have a rummage around here http://free.antivirus.com/prevention-tools/