Security researchers claim to have discovered a database containing a staggering 1.4 billion breached credentials, the largest of its kind ever discovered on the dark web.
The list is said to be nearly twice as big as the previous largest discovered, an Exploit.in database which exposed 797 million records, according to Julio Casal, co-founder of dark web analysis firm 4IQ.
“This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” he explained in a blog post.
“This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”
The credentials are stored in plain text and the database even includes examples of how people set passwords, reuse them and create repetitive patterns over time.
The 41GB data dump was updated as recently as the end of November, and includes 385 million new credential pairs from 318 million unique users not seen in the Exploit.in and Anti Public lists.
The most popular password was “123456”, having been used over 9.2 million times, followed by “123456789”, which is featured in the dump over 3.1 million times.
Satya Gupta, founder and CTO of Virsec Systems, argued the discovery highlights how easy it has become for unsophisticated hackers to get hold of sensitive personal data.
"As this data becomes commoditized, its value does diminish, but [that’s] of little comfort to consumers, whose data is available to thousands of criminals,” he added. “These dark web marketplaces are probably also funding more advanced, and stealthy attacks being designed against high-value corporate, government and infrastructure targets."
Michael Magrath, director of Global Regulations & Standards at VASCO Data Security argued that the incident shows why knowledge-based verification and static passwords are no longer fit-for-purpose.
“The industry has come a long way over the past few years offering a variety of frictionless authentication solutions that do not require users to remember complex static passwords, but instead leverage integrated technologies in smartphones and other mobile devices such as facial recognition, fingerprint and adaptive authentication,” he added.
“Multi-factor authenticators are an integral part of a risk-based approach to cybersecurity. Perhaps 1.4 billion credentials will finally put the final nail in the password coffin.”