alphaspirit - Fotolia

1.4 billion stolen credentials found on dark web

A massive repository containing more than 1.4 billion stolen credentials was found on the dark web with special features for malicious actors.

Researchers found a massive repository of cleartext stolen credentials on the dark web that is the largest of its kind.

Julio Casal, founder and CTO at 4iQ, an identity threat intelligence company based in Los Altos, Calif., said the company's researchers found the repository on Dec. 5 while scanning the deep and dark web for "stolen, leaked or lost data." The 41 GB repository contained 1.4 billion stolen credentials stored in cleartext and gathered from 252 previous breaches, including breaches of LinkedIn and Pastebin.

Casal said the repository was more advanced than just a storage bin for the stolen credentials.

"This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover," Casal wrote in a Medium post. "This database makes finding passwords faster and easier than ever before. As an example searching for 'admin,' 'administrator' and 'root' returned 226,631 passwords of admin users in a few seconds."

Casal said this list of stolen credentials included the previous largest Exploit.in combo list -- that had exposed 797 million records -- and added data from an additional 133 breaches. The repo did not include stolen credentials from the Onliner spambot dump, another of the largest repositories of stolen credentials at 711 million accounts.

Reactions to the massive stolen credential repo

Experts noted that although the most frequently found passwords in the repository were not terribly secure -- top of the list were 123456, 123456789, qwerty and password -- users should beware of password reuse.

Tim Erlin, vice president of product management and strategy at Tripwire, the information security company headquartered in Portland, Ore., said that while the "sheer number of stolen credentials certainly makes for an impressive headline, it's unclear how many of these are new versus previously disclosed in another breach."

There have been so many breaches, and the complexity of creating and remembering passwords has become so great that passwords are now more effective at keeping legitimate users out of their own accounts than at stopping hackers.
John Gunnchief marketing officer, Vasco Data Security

"The reality is that these massive treasure troves of stolen credentials are out there on the dark web. Consumers need to be vigilant about changing their passwords and employing multi-factor authentication to prevent these stolen credentials from being used against them in the future," Erlin told SearchSecurity. "Consumers' best protection against stolen credentials being used against them is to regularly change passwords and to use multi-factor authentication wherever possible."

John Gunn, chief marketing officer at Vasco Data Security, an information security company headquartered in Oakbrook Terrace, Ill., said it is time the industry moved away from passwords altogether.

"There have been so many breaches, and the complexity of creating and remembering passwords has become so great that passwords are now more effective at keeping legitimate users out of their own accounts than at stopping hackers," Gunn told SearchSecurity. "Biometrics, behavior analysis and adaptive authentication are far more effective at stopping crime than passwords and they don't place any burden on the user -- this will quickly become the standard."

Philip Lieberman, president of Lieberman Software, a cybersecurity software company based in Los Angeles, agreed that traditional password systems were insufficient.

"The revelation of massive databases of credentials available on the dark web should concern regulators and governments about their lax policies on passwords, especially those used for elevated access. PCI and other regulatory standards that only require administrator password changes every 90 days are out of touch with reality," Lieberman told SearchSecurity. "Similarly, the obsession with removing clear text passwords by auditors and analysts via obfuscation rather than technology improvements, further cements the reality that current IT processes are out of step with the threats of today."

Dig Deeper on Data security and privacy