Skip to main content

Millions of Microsoft accounts said to be impacted by email data breach

A Russian hacker is apparently claiming to have obtained hundreds of millions of login credentials for various email services. While the single-largest set of data appears to have come from Mail.ru, details from millions of Microsoft, Gmail, and Yahoo accounts are said to be part of the breach.

The data breach was uncovered by Hold Security, according to Reuters:

After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.

In total, it appears that 40 million Yahoo Mail credentials were compromised, along with 33 million Microsoft accounts, and almost 24 million from Gmail. Thousands of these accounts are said to belong to employees of major U.S. companies.

Now might be a good time to change your password, and perhaps enable two-step authentication for your accounts if you can.

142 Comments
  • Source?
  • It's in the article.
  • Ah, right, sorry I didn't see it
  • It's in the game. EA sports.
  • Wrong order Posted via the Windows Central App for Android
  • How come? In mother russia the email hacks you
  • :o two step verification for now. Windows Central app
  • I have two factor authentication active on my Outlook account and Gmail gives alerts for suspicious logins. I guess Ymail account requires attention.
  • Ditto ;) Yahoo needs to be checked.
  • Got it running on mine. Not too easy though. Had to web search it, and when I found it, it didn't list Outlook for Windows 10. LOL! Outlook for Mac, iOS and Android were listed.
  • FYI Outlook.com alerted me a week ago that someone in Russia logged on my MS Account=Outlook.com address. I checked and it showed in history. I immedeatly changed my password.
  • I had an alert from MS from an attempt to log in from China. When I got the alert about China, I began to think about the faulty tablet I bought on EBay, it began to act weird so I attempted to format the tablet and return it but after running all evening then all night, the format never finished. Figuring it was unusable, I shut it off and returned it. Then I get the alert about an attempt from China. Strange coincidence. Anyway, after the alert, I changed that password.
    Might be careful buying this flood of cheap phones and tablets suddenly flooding the US from China. They may break by design after it has all your information.   
  • I'm pretty sure everybody gets those. It was the reason I turned on the two-factor authentication as well. Personally, I think they have bots that attempt to log into thousands of accounts over and over again looking for people who set their password to P@ssw0rd or stuff like that.
  • Yahoo is an interesting one they seen my 6rd address & locked me out had to go thru their password reset which like MS there needs to be a inactivity timer on each former password since ive had to get creative to change it
  • Yahoo also has two steps verification with app password etc similar to the outlook one (outlook is better with the authentication app)... I just changed my password and activated the 2 steps verification on Yahoo Mail.  In the Yahoo webmail, it is in the top right gear icon -> Account Info -> Account Security (on account page) 
  • Irrelevant if you have TSA. Which I have.
  • The problem with two step authentication is that you can't sign in properly to MS services on iPhones (the dialogue to input the authentication code doesn't show up). Since moving to that platform, I've turned off two step authentication.
    Microsoft should do what Google do - and automatically send emails when login attempts are made from new devices.
  • You can log in on devices and apps that doesn't support the dialog box even if you have TSA enabled. You have to enter a so-called app password. You can find it somewhere buried in the MSA-settings, but it's a pain to find it. Sent from my (usually) leather-coated Lumia 950 :3
  • you can still use TSA, go to your microsoft account and find the TSA section, there's a bit specifically about your use scenario. just end up generating an app specific password for things that can't prompt for the code.
  • Not true. See other replies.
  • Or do what paypal does for ios/Droid
  • Yeah this is flat out wrong.  I use TOTP on my MSA just fine with my iPhone.  
  • IOS supports Top Of The Pops on your Motor Sports Association??? I can't understand why Apple's growth has stalled.. Do you think they've thought about trying it in rose gold?
  • Whst is an iphone...?
  • I think you guys mean TFA, not TSA. Unless we've gone off-topic about security theatre at U.S. airports...
  • You're taking about the recent Star Wars film?! :-p Sent from my Lumia 830 running Windows 10 Mobile
  • *facepalm* :P
  • The correct terminology is actually TOTP.   
  • You talking about InuYasha The Final Act?
  • Better safe than sorry. Two-factor authentication is definitely an amazing second-line of defense, but you can't really be too safe when it comes to protecting your most sensitive of data. You're probably covered, but better safe than sorry. After your data has been stolen, it's already too late. So just be proactive. It's up to you, but my recommendation is to change your password anyways.
  • Omg!
    Will he eat them? F**k Him
  • Like why even? Really? That's so low... Zachary Bowling - ZAD Apps
  • I tried to do the 2 step authentication but after I did it I couldn't sign into my Xbox one. It wouldn't let me enter the credentials on the Xbox one so I had to disable it
  • Xbox One supports 2 Factor. You might have to generate an App Password online in your Microsoft Account security settings but I thought it would text a code as well.
  • You have to use a code they provide not your password, search online. I have tsa on mine and it works just fine
  • It didn't let me enter anything it was buggy the input field didn't work even after a couple of resets
  • Using TFA on Xbox One and have had no issues on either the preview version or release. Posted via my MotoE2
  • Same. 2FA ABSOLUTELY works on Xbox One, 360, and the like. Hope this helps. http://windows.microsoft.com/en-us/windows/app-passwords-two-step-verifi...
  • use IE mine was bggy in the beta of edge.
  • No.
  • Two factor all the way for me. Trusty authenticator app always at my side.
  • Google only has iPhone and Android options for two way verification! How can I turn it on if I have Google account?
  • Don't do Google so I cant help there im afraid.
  • You should be able to set up TSA using the Microsoft Authenticator app.
  • Ah, yes. Microsoft Authenticator app worked just fine.
  • Care to give instructions or a link? Sent from my Lumia 830 running Windows 10 Mobile
  • From Google account settings turn on two step verification. Enter your phone number to get verification code as text. Next, enable alternative verification then choose either iPhone or Android and it will show a barcode. Open Microsoft Authenticator app, scan the barcode and you're done.
  • Thanks, I had it on texts, did not know it works with the MS app, too.
  • 830 running Windows 10Preview. Posted Windows central W10M 650.
  • Hoax
  • Could be, I'm on the fence.
  • 67 Windows phones users.
  • Hey you're pushing it /s
  • Yep if they provide 2 step authentication, then you should set it up. Here is what in my outlook recent history...
      Incorrect password entered 4/19/2016 1:43 AM Vietnam 
    Successful sign-in 4/15/2016 10:28 PM United States 
    Security challenge 4/15/2016 10:27 PM United States 
    Incorrect password entered 4/15/2016 10:27 PM United States 
    Incorrect password entered 4/14/2016 5:05 PM Colombia 
    Incorrect password entered 4/12/2016 10:51 PM Mexico LOL ... there are many from previous months from location like Russia, India ... etc ...
  • Where can you view the history? Is it on outlook.com?
  • Login your outlook account.  Click on the your avatar on the top right and go to Account Settings.  Then click on security & privacy.  Then click on See my recent history.
  • Go into your Account settings and click on Manage your sign-in email or phone number (or click the link here) and choose a new Alias as primary and disable all other from login.
  • Do you use that email for any account anywhere else?  My guess is that some account somewhere got hacked and your credentials sold.  Good chance they are trying to use your password from a different site.  That is exactly why forums are hacked....they could care less about taking over forum usernames.
  • Which is exactly why I use a different password for every account I have. Most over 18 random characters with upper/lower case, special characters, numbers, etc. Nothing spells a word. If I didn't have a password safe I'd be lost, LOL.
  • Now that's security!
  • Russia and India once in a while.
  • Lastpass authenticator works good.
  • Lastpass has been hacked in the past.
  • No one's Lastpass password vault has been hacked.
  • Password vaults are a must. It's the only way I can use a different password for everything I do, so that no one that gets one can ever get another of my logins.
  • What's with the downvotes? It's true Lastpass was hacked...at least twice in recent years. I use a "vault" as well, mSecure, but at least I don't have to keep it on someone's online server.
  • I already have 2factor enabled on my microsoft account. Good riddance hackers!
  • Why is this info unavailable from other sources???
  • I already have it as well.
  • It was bound to be MS's turn someday. So many breeches have occurred. Posted from PornHub
  • ...crap. Windows Central for Windows 10-Microsoft Lumia 640
  • Is there an article explaining how to use the authenticator app on Windows Phone and use two-step authorization on other devices?
  • The process is quite straight forward and the instructions is available when you setup the app. You basically open the app, tap the plus sign, scan the barcode that your MS-account site gives you. Sent from my Windows 10 PC.
  • When you setup up the authenticator app on your msa online it tells you to pick your os type and walks you through it.
  • Just axed the guy's hands and see how long it takes until someone else try to be a dumbass
  • Good thing the most secure phone is on its way... mm.. in April 2017. Maybe. :P
  • Without Intel processors...
    The Surface Phone really doesn't sound viable anymore.
  • MS should go with Chinese CPU for Surface phone. F**k Intel!
  • No... Just no atom. They could commission a custom chip, use a core M3 or something or go AMD(?!). Sent from my Lumia 830 running Windows 10 Mobile
  • AMDs arm server chip
  • Like desktop programs were ever viable on a phone...
  • Continuum!
  • Tried to activate 2 steps verification for MS account and can`t figure out how to make my phone apps have the passwords ... the steps that MS are showing on their site are not working for Win 10 mobile.
  • You must be doing something wrong. Didn't work on very early builds, but working fine now. Just remember that not all apps support TSA. This is where app passwords help.
  • I have no clue what exactly is the 2 steps verification on MS site anyway... for my google account I always get a sms with a code , on MS I just log in .. nothing changed and now I think my calendar doesn`t sync with any devices ... tablet / pc / phone ...
  • You have to generate App passwords for some apps on the MS account site (one time) and on your PC there is no 2 factor because it doesn't need that info anymore, if you login on a new PC you will get asked for a code as well as if you want to remember that device to not ask you for a code again.
  • Great... I approve this message.
  • The real question is who it impacts. Was the data stolen off servers? Was it a third party app that was allowing sign in? Was it a brute force scenario where easy passwords were taken? Have any of these companies announced that this did happen and who is affected? Seems like until there's more info it could be nothing.
  • This. I'm still wondering if this is such big news why hasn't it appeared anywhere else.
  • http://www.cnet.com/news/hacker-trades-272-million-passwords-for-social-...
  • It was bogus. Hacked from websites and users who used same pass on websites and services could be affected which is pretty much none. A lot of them don't even exist. http://arstechnica.com/security/2016/05/the-massive-password-breach-that...
  • Logged in yesterday to xbox.com they prompted for a password change to 8 characters long
  • This is where Windows Hello and biometric logins are gonna come in reallyyy handy
  • Already changed, and my password change was 2 step verified. Awesome.
  • Everyone should simply implement 2 factor authentication, it really is much safer.
  • Keep up the BS Microsoft!!! Posted from Windows Central for Windows 10 Mobile BETA
  • Someone didn't read the article.
  • Re: JohnStrk,
    I don't see your point? Just a random nonsense comment?
  • Struggling to understand what the connection is between mail.ru and all the other mail providers and how that could comprimise millions of passwords?
  • I just posted basically the same thing.  I even scanned through the original article.
  • Well well well.. I don't want to sound like cool but yesterday while logging into my Hotmail account i noticed the URL of hotmail login page was suspicious.. (i always keep an eye on that). Usually it is login.live....... But yesterday when i opened the hotmail login make it showed something different (don't remember now).. When i entered my credentials (i am sure 100% that i didn't make a mistake) it bounced me back to the same login page claiming i entered wrong password (amazingly this time the URL was back to normal login.live...) so i reentered my credentials and it was all good.. It hit me hard that something was not good so i went straight to security settings and changed the password, not only this but all my other accounts... Fingers crossed Nokia Lumia 1520
    ~The Power of Windows 10~
  • and how the **** did you get to a wrong url? Sent from an alien space ship with a Lumia 950
  • DNS gateway URL redirect hack, sends you to a false copy of a site, records your login attempt (correct or not) then redirects to the proper DNS gateway URL prompting login credentials again... Boom, done, your hacked...
  • Exactly. I am aware of this hack and in the past i've dodged it many times ( thats why i said i keep an eye on URL, because in such attacks your URL is other than normal login.live when you are redirected to a false similar looking webpage). what fooled me this time was the "green https" followed by "green MS official site" which represents actual MS webpage. So i thought may be MS changed URL or something. The moment it bounced me back to original page claiming i entered wrong password is when i realized it was a hack attempt. My browser was Google chrome on win 7 lenovo laptop Nokia Lumia 1520
    ~The Power of Windows 10~
  • Well its a sort of hack attempt mentioned by "jsnod25".
    I typed normal hotmail.com on my google chrome browser but it took me to a URL that looked suspicious for someone who knows a bit about URLs Nokia Lumia 1520
    ~The Power of Windows 10~
  • Good thing I didn't turn it off. Love this security feature! Posted from Windows Central for Windows 10
    Using My Beastly 1520
  • Microsoft Authenticator App always.
  • Changed passwords for MSN, Outlook and Gmail accounts.
  • Also in Cnet:;
    http://www.cnet.com/news/hacker-trades-272-million-passwords-for-social-... If nothing else, this got me to do something I should be doing anyway.
  • Same here. I changed my PWs to: Gmail, Yahoo and Outlook. This worked out good because it was time to change the PWs as I change them 3 times a year for email and financial accounts.
  • Re: Catfish,
    If true, it said Yahoo, google, and others too. If the Microsoft users use two factor login, the hack is nearly meaningless to Microsoft.
  • Maybe I missed this but how were these passwords hacked?  What did this hacker do to get info from all of the major email providers?
  • I missed it too. What exactly happened, when and to whom? The basics of journalism: Who, What, When, and Where?
  • If you read up, I posted a plausible explanation as to how in a response to a similar question...
  • If there is such, why hasn't our email providers sent an email or something just like Ebay and paypal did? Andabiut changing passwords the question is when was it compromised? Coz maybe it was a few days ago and those who changed their passwords the day after it happened
  • Forever 21. Nice.
  • Time for a tall tree and a short rope.
  • Lol!!
  • This means war.
  • Oh noes, but not me man...never gone anywhere near a .ru addy =p Ugh, I'm at work...so boring lol =p
    Windows 10 RULZZ yer FACE!!!
  • Shouldn't MS tell something to the subscribers?like "watch out change your credentials" otherwise what shall i do?
  • If you login from a web browser sure it will prompt for a password change
  • Last week ago I got an email about resetting my password for one of my accounts. Somebody was trying something with my account.
  • Unfortunately, hacks will become more and more frequent. Hackers are clever and the average devise user is always a buck short and a day late.
  • So very true!
  • Already have two-factor authentication enabled, but I guess this is a good time as any to remove all my trusted devices, app passwords and change my primary password. This might be a hoax, but you can never be too sure. Stay safe, my friends!
  • Sounds like a plan...
  • Good thing I can change my password and hope they didn't get anything important...
  • I always have 2 Step verification turned on
  • What is the source of the hack? Was MS hacked, yahoo or what?
  • Microsoft, Google and Yahoo. And the source is given in the article
  • Yes I see what accounts have been taken, but from where? Whose database did they compromise; if it were ALL of them, I'd imagine it would be more than"millions" of accounts. And until we know who the source of the breach was, changing passwords could prove futile if the source of the breach hasn't been patched.
  • Just switch on two step authentication.
  • Im not worried, if my account gets hijacked, I can put my phone and get password reset, I am too lazy for two factor authentication Posted via the Windows Central App for Android
  • Re: Gabriel Hernandez5,
    You say "... I can put my phone..."?
    Where do you put your phone?
  • lol
  • All good...
    Using the MS Authenticator App for my two MS accounts and Google account and have TSA instituted with my Yahoo Accounts. Posted from Windows Central for Windows 10
    Using the Alcatel OneTouch Fierce XL for Windows 10 (Redstone)
  • Wtf
  • Qwerty1 is now 1ytrewQ
  • sub.
  • this is just part of the wests propaganda attack on russia.
  • http://www.engadget.com/2016/05/05/russian-email-provider-hack-update/ Looks to me like this was a whole lot of drama-creating nonsense on the part of the supposed "hacker" and they used Reuters to get attention. :)