Those using email powered by Google, Yahoo, or Microsoft might want to consider updating their passwords. A hacker in Russia obtained “tens of millions” of login credentials for email services provided by those companies, Reuters reports.
Hold Security discovered the hack and recovered the data, which included login information for 272.3 million accounts. Many of the compromised email login credentials belonged to users of popular Russian provider Mail.ru. The data included logins for email services provided by Google, Yahoo, and Microsoft.
“Unfortunately, there are places on the internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers,” a Microsoft spokesperson said in a comment to TIME. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”
The hacker is offering to sell the login information for less than $1, Reuters reports. Hold Security’s policy doesn’t allow it to pay for stolen data, even if it is a trivial sum of money. Instead, the researchers added likes to the hacker’s social media page and posted positive comments about him in hacker forums in exchange for the data.
Although the breach sounds alarming, it may not be as concerning as it seems. After a first check, Mail.ru concluded that none of the stolen email and password combinations actually work, a Mail.ru spokesperson told Motherboard.
Yahoo’s security team investigated the situation, and the company doesn’t “believe there is any significant risk to our users based on the claims shared with the press,” a Yahoo spokesperson said in a statement to TIME.
Google faced a similar situation roughly two years ago, when it said that less than 2% of the username and password combinations recovered from a string of data dumps in September 2014 might have worked.
When asked for comment about the latest hack, Google told TIME it wouldn’t comment on specific incidents.