UPDATED 22:17 EST / DECEMBER 10 2017

INFRA

Security company discovers database of 1.4B user credentials on the dark web

It’s getting easier for hackers to obtain user credentials in bulk.

A security company has discovered a download containing 1.4 billion records offered for sale on the dark web, the largest aggregate database found in the dark web to date.

4iq Inc. made the discovery, detailing on Medium Friday that it found the file for sale in “an underground community forum” and that the database included unencrypted passwords for the 1.4 billion accounts listed within it. The dark web is a shady part of the internet that requires special software to access.

The user credentials themselves are said to include data mostly from 252 previous breaches including credentials from existing services such as Anti Public and Exploit.in and decrypted passwords from previously disclosed hacks such as that of LinkedIn. An estimated 14 percent of the records found in the database is believed to be fresh data — that is, username/password pairs had not previously been decrypted by the hacking community.

Although the 1.4 billion records is an impressive figure by itself, the way the credentials are stored within the download is said to be the more disturbing part of the discovery. “This is not just a list,” 4iq’s Julio Casal wrote. “It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”

4iq is continuing to analyze the data, but it has already found that some things never change when it comes to hacked data: People use stupid, unsafe passwords. Of the 1.4 billion records, the most common password used was 123456, with 9.2 million entries, followed by 123456789 in second place with 3.1 million instances found. Qwerty, “password,” 111111, 12345678 and abc123 were the remaining passwords to have recorded over 1 million instances in the database.

The implication is that individual users are bad at setting strong passwords. Yet some of the blame lies with large business failing to prevent customers and employees from using such passwords to begin with. In August, a report from Dashlane Inc. found that 46 percent of consumer sites and 36 percent of enterprise sites failed to implement even the most basic password security requirements.

Photo: Pxhere

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.