Searchable database of unencrypted usernames and passwords available online
Security experts have found a 41-gigabyte (GB) archive containingย over 1.4 billion unencrypted user credentials on the Dark Web, which had been updated at the end of November.
The huge database consisting over 1.4 billion email addresses, passwords, and other credentials in plain text was discovered online on December 5 by security researchers from the California-based identity threat intelligence company,ย 4iQ. The file found is not the result of a new data breach, but an amalgamation of those from several past breaches, collated into a single database that is over 41GB in size.
According toย Julio Casal, 4iQ founder and chief technology officer, the archive is the most massive aggregation of various leaks thatโs ever been found in the Dark Web until date.
โWhile scanning the deep and dark web for stolen, leaked or lost data,ย 4iQย discovered a single file with a database ofย 1.4 billion clear text credentials โ the largest aggregate database found in the dark web to date.โ reads aย postย published by 4iQ on Medium.
โNone of the passwords are encrypted,ย and whatโs scary isย theย weโve tested a subset of these passwords and most ofย theย have been verified to be true.โ
The 41GB file aggregates data from a collection of over 250 previous data breaches and credential lists, which include popular websites such as LinkedIn, Netflix, Last.FM, MySpace, Zoosk, and YouPorn, as well as games like Minecraft and Runescape.
The data was organized and indexed alphabetically by the collector, andย the total amount of credentials isย 1,400,553,869.
โThe breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.โ continuesย Julio Casal.
โThis new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.โ
An extensive examination of the archive gave researchers a glimpse of some of the most commonly used weak passwords by the users, which includes passwords such as โ123456,โ โ123456789,โ โqwerty,โ โpassword,โ and โ111111.โ
While some of the breaches happened a few years ago, expert observed that the cybercriminals still have good chances of accessing personal accounts as users tend to reuse the easy and common passwords or the same passwords for multiple online services.
โSince the data is alphabetically organized, the massive problem of password reuse โ โ same or very similar passwords for different accounts โ โ appears constantly and is easily detectable.โ states the post.
The researchers highlighted thatย 14% of the 1.4 billion records (almost 200 million)ย had not previously been available in readily-usable decrypted form. In other words, the passwords and usernames, were new and in plain text.
โWe compared the data with the combination of two larger clear text exposures, aggregating the data from Exploit.in and Anti Public. This new breachย adds 385 million new credential pairs,ย 318 million unique users, and 147 million passwordsย pertaining to those previous dumps.โ continues the expert.
While it is unclear who is behind the collection of billions of user credentials, the culprits have however left the Bitcoin and Dogecoin wallet addresses accessible for anyone who wants to donate for their alleged efforts.
In order to stay safe from potential cyber-attacks, we recommend our readers to use strong passwords, avoid using same passwords on multiple sites, and regularly keep changing your passwords.
Source: securityaffairs