Billions of email addresses and plain text passwords have been leaked online by an unnamed party, putting countless internet users at risk from credential stuffing and other attacks.
Security researcher Bob Diachenko discovered the unsecured Elasticsearch database on December 4, although it was first indexed by the BinaryEdge search engine and therefore publicly available from the very start of the month.
After he notified the US-based ISP hosting the IP address, access to the database was eventually disabled on December 9, giving potential hackers more than enough time to harvest the trove of log-in data.
In total, the database contained 2.7 billion email addresses, and plain text passwords for more than one billion of them — providing a perfect starting point for a credential stuffing campaign.
Working with Comparitech, Diachenko deduced that much of the data was harvested from a 2017 listing by a hacker known as “DoubleFlag.” Dubbed “The Big Asian Leak,” it included breached credentials from multiple internet companies from the region, including NetEase, Tencent, Sohu, and Sina.
The new 1.5TB leak features mainly emails from Chinese domains including qq.com, 139.com, 126.com, gfan.com, and game.sohu.com, although there are a smattering of Gmail and Yahoo addresses, according to Comparitech.
“Because many Chinese people have difficulty reading English characters, they often use their phone numbers or other numerical identifiers as usernames. Therefore, we can assume many of these email addresses also contain phone numbers,” wrote the firm’s privacy advocate, Paul Bischoff.
It’s unclear who the owner of the exposed database is; it could theoretically have been set up as the first stage in a credential stuffing or even a spam campaign.
The implications stretch beyond the security of victims’ personal accounts, according to Vinay Sridhara, CTO of Balbix.
“Since many employees share passwords between their work and personal accounts, this leak not only problematic for the individuals who own the accounts, but a big risk for enterprises globally as well,” he argued.
“Enterprises should use this as an opportunity to scan for password reuse immediately, and on an ongoing basis, to limit their exposure to this incident."