Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Databases Bitcoin Communications Privacy Security The Internet IT

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 72

YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
This discussion has been archived. No new comments can be posted.

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web

Comments Filter:
  • Where? (Score:5, Insightful)

    by Spazmania ( 174582 ) on Tuesday December 12, 2017 @05:04PM (#55728067) Homepage

    Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.

  • by Anonymous Coward

    It would be really nice if things like this were posted and searchable...after all, the information's compromised and it would nice to be able to find out if your stuff was out there floating around in the wild...otherwise, thanks for the pointless and useless alarmism and giving me one more thing to worry about.

    • Re:Sheesh (Score:5, Informative)

      by Sarten-X ( 1102295 ) on Tuesday December 12, 2017 @05:16PM (#55728175) Homepage

      The best I know of is https://haveibeenpwned.com/ [haveibeenpwned.com]. You can search for a single email address, or set up monitoring for your domains.

      If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.

  • P@ssw0rd1 is still a good password, right?
    Actually I use long randomly generated passwords, and KeePass2
    • Great...until you're at work and can't install the code, even the portable.
      So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?
      • Great...until you're at work and can't install the code, even the portable. So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?

        I can always install the software.

      • I have PasswordSafe installed on my phone, and together with the Yubikey I can access my passwords whenever I like.
    • by muphin ( 842524 )
      wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.
      • wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.

        That would be why you never, ever reuse a password.

  • Great! (Score:5, Funny)

    by king neckbeard ( 1801738 ) on Tuesday December 12, 2017 @05:16PM (#55728171)
    Maybe now I can get back into some accounts I lost the password for.
    • by cdxta ( 1170917 )

      The only account I have lost access to was because suddenly one day the site decided my computer was a new device. The site required me to enter the verification code they emailed to my CompuServe address. Nothing of value was lost though, it was my Yahoo account.

  • I love hearing about FUD like this making it seem like his firm has something special about it when it's just a guy using the same tools anyone else has to pose as a hacker in those dark net communities.

    TL;DR: regularly change your passwords and use different passwords for email, banking, etc.

    • by Altrag ( 195300 )

      "Anyone else" typically does not have such tools. While the tools may well be "freely" accessible, they don't typically make them easy to find by people who aren't already in the in-group. Too much exposure to the public is inherently bad for criminal types as it tends to draw law enforcement much quicker.

  • Sources all over the web indicate there is a torrent. But thankfully they're being responsible and not publicly linking to this database that's been freely available to bad guys for days.

    If anyone could link me it'd be great thanks.

  • by painandgreed ( 692585 ) on Tuesday December 12, 2017 @06:41PM (#55728687)

    I read TFA. It has a list of the top 40 passwords. Seeing how two of those passwords are "myspace" and "homelesspa" (which was apparently a default password for a bot making fake MySpace accounts from what I can google in a few minutes), I'd say a sizable amount if not all are from a MySpace database leak. Over one million accounts just between those two passwords and they aren't even in the top ten. Not sure how the bell curve on bad passwords reads in telling us what percentage the myspace group would be if 1 million of the 13th and 28th most common passwords out of 1.4 billion of the total database.

  • Those seem to be the only actual common words (ignoring "password")... I wonder why those two are so common? Are they used in a movie?

  • by bengoerz ( 581218 ) on Wednesday December 13, 2017 @09:44AM (#55731479)
    According to Troy Hunt, 99.6% of this list is already in HaveIBeenPwned [twitter.com].
  • So where is this database? It would be nice to know if any of my passwords are on it...

A freelance is one who gets paid by the word -- per piece or perhaps. -- Robert Benchley

Working...