December 11, 2017
A single file on the dark web with a database of 1.4 billion clear text credentials not only is the largest aggregate found there but it opens a trove of credentials to even the least sophisticated hackers.
The breach is almost twice the size of the Exploit.in combo list that exposed 797 million credentials. Noting that the passwords in the latest find are not encrypted, Julio Casal, founder and CTO of 4iQ, which discovered the database, wrote in a blog post that “what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.”
This dump is an aggregate of 252 earlier breaches, “including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” Casal said, explaining that because the database is interactive, searches are fast and new breaches can be imported.
“I’ve suggested that it would be possible to take stolen identity data, such as names, addresses, employer, spouse’s name, children’s names, etc. — anything identifiable and combine that with various other breaches to find common data points linking people to people, people to companies, companies to data, etc. which would possibly be useful in targeted phishing or extortion attacks,” said Imperva CTO Terry Ray. “There certainly have been enough breaches to expose personally identifiable information in quantities useful in such analytics.”
Ray doesn’t “think it will be long before aggregated data sets on the dark web are sold containing much more than passwords, given the breadth of data we know has been stolen over the years,” noting that the data currently found is “only valid as long as users continue to make poor choices in password usage.”