A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers.

A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers.

The breach is almost twice the size of the Exploit.in combo list that exposed 797 million credentials. Noting that the passwords in the latest find are not encrypted, Julio Casal, founder and CTO of 4iQ, which discovered the database, wrote in a blog post that “what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.”

This dump is an aggregate of 252 earlier breaches, “including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” Casal said, explaining that because the database is interactive, searches are fast and new breaches can be imported.

“I’ve suggested that it would be possible to take stolen identity data, such as names, addresses, employer, spouse’s name, children’s names, etc  — anything identifiable and combine that with various other breaches to find common data points linking people to people, people to companies, companies to data, etc which would possibly be useful in targeted phishing or extortion attacks,” said Imperva CTO Terry Ray. “There certainly have been enough breaches to expose personally identifiable information in quantities useful in such analytics.” 

Ray doesn’t “think it will be long before aggregated data sets on the dark web are sold containing much more than passwords, given the breadth of data we know has been stolen over the years,” noting that the data currently found is “only valid as long as users continue to make poor choices in password usage.” 

But, he said, “stolen names, addresses, family member names, etc. don’t change nearly as often, if ever for some, so the long-term value and longevity of a more extensive analytic dataset would likely be very popular in some hands.”

The newly discovered “database makes finding passwords faster and easier than ever before,” said Casal. “As an example searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.”

And because the information “is organised alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time,” it “offers concrete insights into password trends,” said Casal.

This article originally appeared at scmagazineuk.com



Source link

NO COMMENTS

LEAVE A REPLY