Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 72
YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Where? (Score:5, Insightful)
Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.
Re: (Score:2)
Yep. I agree.
I also want to check for accounts of my co-workers.
Fun fact: Found one co-worker in the Ashley Maddison dump. He's now hooked up with a female co-worker and is divorcing his wife.
Re: (Score:2)
Yes and No.
there will be lame passwords, but some of this might be the fact that most firmware is backdoored.
https://www.google.com/search?... [google.com]
Re: (Score:1)
A magnet link was posted on reddit last week in the /r/pwned subreddit.
Re: (Score:2)
Sheesh (Score:1)
It would be really nice if things like this were posted and searchable...after all, the information's compromised and it would nice to be able to find out if your stuff was out there floating around in the wild...otherwise, thanks for the pointless and useless alarmism and giving me one more thing to worry about.
Re:Sheesh (Score:5, Informative)
The best I know of is https://haveibeenpwned.com/ [haveibeenpwned.com]. You can search for a single email address, or set up monitoring for your domains.
If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.
Re:Sheesh (Score:4, Interesting)
Searching for yourself only draws more attention. Each query is added to the database. Google picks up on those things when they scrape the site. Suddenly your name is everywhere in every search engine.
Um, yeah. They just may have thought of that one. Here's the robots.txt:
User-agent: * /Account/* /account/* /Verify/* /verify/* /HowFastIsAzureTableStorage/* /DomainSearch/* /DomainSearch/$
Sitemap: https://haveibeenpwned.com/sit... [haveibeenpwned.com]
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
Allow:
Re: (Score:2)
You could also look at Troy Hunt's FAQ and blog, where he specifically states that there is no record of searches on the site (beyond server crash logs and non-scraping analytics), but that would require actually trusting a well-respected infosec expert.
Re: (Score:2)
It does usernames, but no wildcards.
My Password is still good though? (Score:1)
Actually I use long randomly generated passwords, and KeePass2
Re: (Score:1)
So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?
Re: (Score:2)
Great...until you're at work and can't install the code, even the portable. So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?
I can always install the software.
Re: (Score:1)
Good for you.
For most of us working stiffs the drones (IT pros) have monitors all over the user machines either forbidding access to install anything or, better still, monitoring and reporting any "unauthorized" executable code followed by disconnect from intranets and therefore Internet making work impossible until a dressing down by idiot drones who will not take time to validate code behavior on open source.
Re:My Password is still good though? (Score:4, Informative)
Re: (Score:1)
Little bit cumbersome, but hey, whatever works
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.
That would be why you never, ever reuse a password.
Great! (Score:5, Funny)
Re: (Score:1)
Actually, I do have that problem. Sigh.
Re: (Score:2)
Re: (Score:1)
The only account I have lost access to was because suddenly one day the site decided my computer was a new device. The site required me to enter the verification code they emailed to my CompuServe address. Nothing of value was lost though, it was my Yahoo account.
Re: (Score:2)
Re: where is the list? (Score:1)
I changed your mothers maiden status
Ha, "scanning the darkweb" (Score:2)
I love hearing about FUD like this making it seem like his firm has something special about it when it's just a guy using the same tools anyone else has to pose as a hacker in those dark net communities.
TL;DR: regularly change your passwords and use different passwords for email, banking, etc.
Re: (Score:2)
"Anyone else" typically does not have such tools. While the tools may well be "freely" accessible, they don't typically make them easy to find by people who aren't already in the in-group. Too much exposure to the public is inherently bad for criminal types as it tends to draw law enforcement much quicker.
Anyone have the torrent (Score:2)
Sources all over the web indicate there is a torrent. But thankfully they're being responsible and not publicly linking to this database that's been freely available to bad guys for days.
If anyone could link me it'd be great thanks.
MySpace (Score:3)
I read TFA. It has a list of the top 40 passwords. Seeing how two of those passwords are "myspace" and "homelesspa" (which was apparently a default password for a bot making fake MySpace accounts from what I can google in a few minutes), I'd say a sizable amount if not all are from a MySpace database leak. Over one million accounts just between those two passwords and they aren't even in the top ten. Not sure how the bell curve on bad passwords reads in telling us what percentage the myspace group would be if 1 million of the 13th and 28th most common passwords out of 1.4 billion of the total database.
monkey and dragon? (Score:2)
Those seem to be the only actual common words (ignoring "password")... I wonder why those two are so common? Are they used in a movie?
99.6% Old Credentials (Score:3)
Where's the database? (Score:2)