The firm said in a statement certificate tied to its e-mail accounts seemed to have been stolen from other, unrelated websites including social networks or ecommerce websites that ask users to sign up using email addresses like Mail.ru and decide passwords, which most commonly WOn’t be the same as those for the e-mail accounts.

“The database is most likely a compilation of a couple old information drops gathered by hacking web services where individuals used their email address to enroll,” the Moscow-based firm said.

Creator of Hold Security, Alex Holden, an US company that specialises in recovering stolen qualifications from hackers, told Reuters on Wednesday a youthful Russian hacker had been coaxed by his research workers into revealing the information that was purloined.

Mail.ru lately reported 64 million monthly active e-mail users.

In a statement, the Moscow-based firm said its own study of sample data supplied by Holden had found that 99.982 percent of Mail.ru account qualifications on the hit list were invalid. Most used fake email addresses or had wrong passwords.

But the firm admitted that 0.018 percent of the usernames and passwords might have worked and said: “we’ve already notified the affected users to alter their passwords.”

A Yahoo representative said the firm had got a sample of Hold Security’s information and will not consider “there’s any considerable danger to our users based on the claims shared with the press.”

Holden said he’d provided a randomised sample of information that represents less than one tenth of the open Mail.ru records. He said he was prepared to supply Mail.ru the complete dataset.

Hackers understand users cling to favourite passwords. Attackers reuse old passwords discovered on one account to try and break into other accounts of the exact same user it’s.

Mail.ru said its specialists continuously monitor the internet for info dumps to see if Mail.ru account credentials are endangered. It said the “one purpose” of disclosing the potential qualification larceny was to create media hoopla and to encourage Holden’s company.

The business of Holden, whose, said he’d spent the previous week telling any business whose certificate was doing it at no cost and seemed to have been stolen.

“We don’t have any claim to this advice because we only recovered it from the hacker and are sharing it with the community,” he said. Hold Security will not release the database of stolen accounts but said it supplies information that is unique to authorised specialized staff at the affected companies.