What’s Worse Than Mega Data Breaches? An Aggregated, Alphabetized, Searchable Database of User Credentials
The last two years have been all about massive data dumps. While most of the major data breaches actually occurred at least a few years ago, the data stolen from those hacks started showing up in 2016 and the trend continued in 2017. It appears someone has been working on bringing much of that data at one place - the dark web.
"Largest credential breach exposure" on the dark web may make the cybercrime epidemic exponentially worse
A massive file carrying credentials of over 1.4 billion people has been seen roaming about the dark waters of the internet. Security researchers at 4iQ said that the 41 GB heavy file contains 1.4 billion username, email and password combinations. If that wasn't enough, all of that data is in plaintext, no work required! Whoever has uploaded the file has added their bitcoin wallet details for donations.
"None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true," Julio Casal, founder of @4iQ said. "The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records."
The dump includes search tools and insert scripts explained in a README file.
The file was first discovered on December 4 and had been last updated at the end of November, hinting that someone is keeping it current. To help criminals, the file has also been indexed and alphabetized for easy searching. Researchers said the data isn't from a single breach, as it contains data from Netflix, MySpace, LinkedIn, Last.FM, YouPorn, Minecraft, and others. In total, the file aggregates data from 252 previous breaches!
While many of these breaches are actually very old, the success ratio is still high. Many users go for the same email and password combination on different websites. Even if they changed their credentials on one affected site (not many users do that despite multiple warnings), the same combinations work on other services.
This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.
As for the most used passwords, 123456, qwerty, password, and 111111 unsurprisingly continue to top the charts. Researchers have also added that not all of this data is redundant as "14% of exposed username/passwords pairs had not previously been decrypted." This means that this file "adds 385 million new credential pairs, 318 million unique users, and 147 million passwords."
This is one serious discovery as it puts the stolen data at the fingertips of any wannabe or serious criminal automating the account hijacking process. One thing you can do to protect yourself? Change your passwords!