1.4 billion unencrypted credentials found in interactive database on the dark web
A data dump containing over 1.4 billion email addresses and clear text credentials is offered for download in an underground community forum.
What’s so special about this data dump?
For one, it’s the largest one to date. “This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” 4iQ founder and CTO Julio Casal noted.
Secondly, the dump has been pretty regularly updated – here are the latest additions:
Thirdly, none of the passwords are encrypted and some of them still work. Also, 14% of exposed username/passwords pairs had not previously been decrypted by the hacker community.
Finally, the dump is interactive: it includes search tools, and scripts that can be used to import new data in the database (how to do it is explained in a README file).
“This database makes finding passwords faster and easier than ever before. As an example searching for ‘admin,’ ‘administrator’ and ‘root’ returned 226,631 passwords of admin users in a few seconds,” Casal pointed out.
What can be gleaned from it?
As the data in the dump is organized alphabetically, the researchers were able see that many users reuse the same password for many different accounts, and how password patterns change over time:
And, once again, the most widely used passwords are the usual suspects: “123456,” “123456789,” “qwerty,” “password”, “111111,” “abc123,” “iloveyou,” “password1,” and so on.
The danger
This is not the first data dump of this kind, and it won’t be the last. Its author (compiler) is unknown, but he (or she) is accepting donations in Bitcoin and Dogecoin instead of outright selling it.
While many keep repeating that the end of passwords is nigh, we’ve yet to come to that point – passwords are one of the easiest authentication methods and will continue to be used for the foreseeable future.
And, it seems, users will continue to choose predictable, easily guessable passwords, and will continue to reuse them on different accounts. And hackers will continue using this type of dumps for automating account hijacking or account takeover.
If you’re worried about keeping your accounts safe, the best thing you can do is to use a password manager/vault and make it choose long, random, different passwords for each account.
Once you’ve done this, for added security, enable two factor authentication where possible – and especially on your most important accounts.