Millions of passwords exposed in dark web

Yahoo only the latest at "kill the password" altar

With over 700 million records, this is one of the biggest loots of information ever found

Ethical hacking and network security experts from the International Institute of Cyber Security reported the finding of a gigantic database with more than 700 million email addresses in one of the most popular hacking forums on dark web, implying that cybercriminals have one of the largest stolen information banks ever known.

The database is composed of a total of 87 GB organized into 12k separate folders within a root folder called ‘Collection #1’. The database was first identified in the Mega cloud storage service, from where it was subsequently eliminated, to end up in a dark web forum.

Troy Hunt, network security expert, conducted an analysis of the database, discovering that it contains about one billion unique combinations of email addresses and passwords listed. After a debugging process, the database left about 773 million of unique email addresses, the largest stolen mail collection ever recorded in Have I Been Pwned, site managed by Hunt.

In addition, Hunt mentioned that they found 21 million of unique passwords in the database: “We found this information after implementing multiple cleanup processes, discarding passwords that were still in the form of hash, strings, control characters and SQL statement snippets,” the expert mentioned. 

Some files corresponding to other data breach incidents were included in this database, although researchers also found unregistered information. Network security experts agree that this information was widely circulated through various forums before it was discovered by Hunt.

“Obviously the huge amount of leaked data represents a greater number of people possibly affected,” Hunter said. “The more information available the cybercriminals got, the more likely it will be to succeed in their malicious campaigns”.

According to researchers, the compromised information could be used primarily to deploy credential stuffing attacks, which consists of the use of automated scripts to test thousands of username/password combination on a website. These attacks are often successful against users who use the same access codes for different services.

“Massive data breaches, as is the ‘Collection #1’ case, increase the traffic of bots in the login screens in multiple websites, because the hackers ride through enormous lists of stolen passwords”, mentions the expert in network security Ramid Essaid. “Any person or organization that uses login pages could become the next victim of a data breach”.