Log-in credentials for over one million Gmail and Yahoo accounts are being sold on a dark web marketplace.

According to reports, a seller is offering the accounts for sale. Among the compromised accounts being offered are 100,000 Yahoo accounts allegedly harvested from the 2012 hack of Last.fm, according to HackRead. The information includes usernames, email addresses and plain text passwords.

A further 145,000 Yahoo accounts are also on sale, apparently taken from the October 2013 Adobe breach and the MySpace hack, which happened in 2008 but not made public until 2016. These details include usernames, email addresses and decrypted passwords.

The number of Yahoo accounts on offer is dwarfed by the number of Gmail accounts said to be up for sale.

First up is 500,000 Gmail accounts, including usernames, email addresses and plain text passwords. According to HackRead, these came from 2014’s breach of the Bitcoin Security Forum, the Tumblr breach of 2013 and the same MySpace hack that yielded the Yahoo credentials.

It’s not clear if the Bitcoin Security Forum itself was breached in 2014, or if these Gmail accounts are from the same dump of five million accounts in September of that year.

A further 450,000 Gmail accounts are being offered by the same seller, said to be from a variety of breaches including Last.fm, Adobe, Dropbox, Tumblr and more.

What You Should Do

Users worried about the security of their Gmail or Yahoo account, particularly if their accounts were compromised in any of the data breaches mentioned here, should change their password immediately.

Users should also enable two-factor authentication where it is offered, as it adds another layer of security to online services by sending a unique, one-time code to a mobile device, which has to be entered alongside the password.

For more information about our work, please visit www.safeinwarwickshire.com/cybercrime

Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).

Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems.