If you have a Gmail, Hotmail or Yahoo email account, you may want to update your password.

A new report has found that Russia's criminal underworld is trading hundreds of millions of stolen usernames and passwords belonging to these accounts.

This is according to a Reuters investigation, which spoke to Alex Holden, founder and chief information security officer of Wisconsin-based Hold Security.

If you have a Gmail, Hotmail or Yahoo email account, you may want to update your password. A new report has found that Russia's criminal underworld is trading hundreds of millions of stolen usernames and passwords belonging to these accounts

WHICH ACCOUNTS ARE AT RISK? Russia's Mail.ru email service accounts for the majority of hacked accounts. Researchers discovered 57 million account details being traded in Russia. A large number also belong to Gmail, Hotmail and Yahoo Mail users. Yahoo Mail credentials totaled 40 million, or 15 per cent of the haul. Hotmail accounted for 33 million, which equaled 12 per cent of the leak And 24 million, or nine per cent, belonged to Gmail account holders. There is currently no way to know if your details are on the list of threatened accounts. Mail.ru is now checking whether any combinations of usernames/passwords match users' e-mails and are still active. It will warn users if they are at risk. Yahoo and Google did not respond to requests for comment. Advertisement

Holden, who last year uncovered the largest data breach to date, claims that the details of 272.3 million stolen accounts are now being traded.

They include the majority of users of Mail.ru, Russia's most popularemail service, and smaller fractions of Google, Yahoo and Microsoft email users.

It is one of the biggest stashes of stolen credentials to beuncovered since cyber attacks hit major US banks and retailerstwo years ago.

The latest discovery came after Hold Security researchersfound a young Russian hacker bragging in an online forum.

The hackers said hehad collected and was ready to give away a far larger number ofstolen credentials that ended up totalling 1.17 billion records.

Because he or she vacuumed up data from many sources, researchers have dubbed him 'The Collector'.

After eliminating duplicates, Holden said, the cachecontained nearly 57 million Mail.ru accounts - a big chunk ofthe 64 million monthly active email users Mail.ru said it had atthe end of last year.

It also included tens of millions ofcredentials for the world's three big email providers, Gmail,Microsoft and Yahoo, plus thousands of accounts atGerman and Chinese email providers.

'This information is potent,' said Holden, the former chief security officer at U.S. brokerage R.W. Baird.

'It is floating around in theunderground and this person has shown he's willing to give thedata away to people who are nice to him.'

Mysteriously, the hacker asked just 50 roubles - less than$1 - for the entire trove.

From the 272.3 million stolen accounts, 24 million, or nine per cent, belonged to Gmail account holders. Mysteriously, the hacker asked just 50 roubles - less than $1 - for the entire trove

HOW TO CHOOSE A PASSWORD Avoid favourite sports. ‘Baseball’ and ‘football’ were both in the top 10 worst password list. Birthdays and years of birth are easy to guess with the help of personal information. Common names such as Michael and Jennifer are insecure, with many making SplashData’s Top 50 list, too. Experts suggest using eight mixed types of characters, with seemingly random combinations if possible. They say that passphrases – short words with spaces or other characters separating them – are easy to recall and are relatively secure if seemingly random words are used. Experts also advise having different passwords for different sites, instead of relying on one, which if hacked, could prove particularly serious. Advertisement

However, he gave up the dataset after Holdresearchers agreed to post favourable comments about him inhacker forums, Holden said.

He said his company's policy is torefuse to pay for stolen data.

Such large-scale data breaches can be used to engineerfurther break-ins or phishing attacks by reaching the universeof contacts tied to each compromised account.

This multiplies therisks of financial theft or reputational damage across the web.

Hackers know users cling to favourite passwords, resistingadmonitions to change credentials regularly and make them morecomplex.

It's why attackers reuse old passwords found on oneaccount to try to break into other accounts of the same user.

After being informed of the potential breach of emailcredentials, Mail.ru spokeswoman Madina Tayupova told Reuters:'We are now checking, whether any combinations ofusernames/passwords match users' e-mails and are still active.

'As soon as we have enough information we will warn theusers who might have been affected,' she said.

Tayupova addedthatMail.ru's initial checks found no live combinations of usernamesand passwords which match existing emails.

A Microsoft spokesman said stolen online credentials was anunfortunate reality.

'Microsoft has security measures in placeto detect account compromise and requires additional informationto verify the account owner and help them regain sole access.'

Researchers discovered 57 million account details being traded in Russia. A large number also belong to Gmail, Hotmail and Yahoo Mail users. Yahoo Mail credentials totaled 40 million, or 15 per cent of the haul

Yahoo and Google did not respond to requests for comment.

Yahoo Mail credentials numbered 40 million, or 15 percent ofthe 272 million unique IDs discovered.

Meanwhile, 33 million, or12 percent, were Microsoft Hotmail accounts and 9 percent, ornearly 24 million, were Gmail, according to Holden.

Thousands of other stolen username/password combinationsappear to belong to employees of some of the largest U.S.banking, manufacturing and retail companies, he said.

Stolen online account credentials are to blame for 22percent of big data breaches, according to a recent survey of325 computer professionals by the Cloud Security Alliance.

In 2014, Holden, a Ukrainian-American who specialises inEastern European cyber crime threats, uncovered a cache of 1.2billion unique credentials that marked the world's biggest-everrecovery of stolen accounts.

His firm studies cyber threats playing out in the forums andchatrooms that make up the criminal underground, speaking tohackers in their native languages while developing profiles ofindividual criminals.

Holden said efforts to identify the hacker spreading thecurrent trove of data or the source or sources of the stolenaccounts would have exposed the investigative methods of hisresearchers.

Ten days ago, Hold Security began informingorganisations affected by the latest data breaches.

Thecompany's policy is to return data it recovers at little or nocost to firms found to have been breached.