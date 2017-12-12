Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com) 9
YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Where?
Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.

Yep. I agree.
I also want to check for accounts of my co-workers.
Fun fact: Found one co-worker in the Ashley Maddison dump. He's now hooked up with a female co-worker and is divorcing his wife.

Sheesh
It would be really nice if things like this were posted and searchable...after all, the information's compromised and it would nice to be able to find out if your stuff was out there floating around in the wild...otherwise, thanks for the pointless and useless alarmism and giving me one more thing to worry about.

The best I know of is https://haveibeenpwned.com/ [haveibeenpwned.com]. You can search for a single email address, or set up monitoring for your domains.
If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.
My Password is still good though?
Actually I use long randomly generated passwords, and KeePass2
Great!