A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers.
The breach is almost twice the size of the Exploit.in combo list that exposed 797 million credentials. Noting that the passwords in the latest find are not encrypted, Julio Casal, founder and CTO of 4iQ, which discovered the database, wrote in a blog post that “what's scary is the we've tested a subset of these passwords and most of the have been verified to be true.”
This dump is an aggregate of 252 earlier breaches, “including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” Casal said, explaining that because the database is interactive, searches are fast and new breaches can be imported.
“I've suggested that it would be possible to take stolen identity data, such as names, addresses, employer, spouse's name, children's names, etc. — anything identifiable and combine that with various other breaches to find common data points linking people to people, people to companies, companies to data, etc. which would possibly be useful in targeted phishing or extortion attacks,” said Imperva CTO Terry Ray. “There certainly have been enough breaches to expose personally identifiable information in quantities useful in such analytics.”
Ray doesn't “think it will be long before aggregated data sets on the dark web are sold containing much more than passwords, given the breadth of data we know has been stolen over the years,” noting that the data currently found is “only valid as long as users continue to make poor choices in password usage.”
But, he said, “stolen names, addresses, family member names, etc. don't change nearly as often, if ever for some, so the long-term value and longevity of a more extensive analytic dataset would likely be very popular in some hands.”
The newly discovered “database makes finding passwords faster and easier than ever before,” said Casal. “As an example searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.”
And because the information “is organized alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time,” it “offers concrete insights into password trends,” said Casal, it “offers concrete insights into password trends.”
“Our data is out there and now it is conveniently stored on the Dark Web in a gigantic searchable database for criminals to acquire,” said Michael Magrath, director of global regulations & standards at VASCO Data Security, calling “unfathomable” cybercriminals' level of sophistication. “Not only is stolen data aggregated, it has been catalogue and packaged so even novices to the Dark Web can easily search and acquire targeted data in similar fashion to a marketer renting a mailing list from a list broker targeting specific demographics.”
Noting that "this is latest example of cybercrime getting organized, efficient, and widely available,” Satya Gupta, founder and CTO, Virsec Systems, said he suspects “dark web marketplaces are probably also funding more advanced, and stealthy attacks being designed against high-value corporate, government and infrastructure targets."
The availability of databases of credentials on the dark web “should concern regulators and governments about their lax policies on passwords, especially those used for elevated access,” said Lieberman Software President Phil Lieberman, who called PCI and other regulatory standards requiring administrator password changes only every 90 days “out of touch with reality.”
Similarly, he said, “the obsession with removing clear text passwords by auditors and analysts via obfuscation rather than technology improvements, further cements the reality that current IT processes are out of step with the threats of today.”
Tim Erlin, vice president of product management and strategy at Tripwire urged consumers “to be vigilant about changing their passwords and employing multi-factor authentication” so that stolen credentials from can't be used against them going forward.