Hacker Collusion - 1.4 BILLION Credentials in a Single Database

[FirstArmada]

Source

 

On December 9, researchers from security firm 4iQ reported a massive collective database of usernames and passwords hosted on the dark web and on torrent sites. Compiled into a massive 41GB dump file, 4iQ researchers called it the “largest collection of credentials found in the dark web to date”.

 

 

To be clear this is not a new leak, but a huge database of numerous data breaches combined. Why this matters is it makes it much much easier for crackers to access your accounts by making cracking a very easy thing to set up, mind you it is still time-consuming running through a list of 1.4 billion credentials but just having it all in one place is a huge convenience for crackers.

 

 

Article

Spoiler

 

Article

Quote

A Massive Resource for Cybercriminals Makes it Easy to Access Billions of Credentials.

Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials in an underground community forum. Is the cyber crime epidemic about become an exponentially worse?

While scanning the deep and dark web for stolen, leaked or lost data, 4iQdiscovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.

None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.

The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records. This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites.

This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.

This database makes finding passwords faster and easier than ever before. As an example searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.

The data is organized alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time. The breach offers concrete insights into password trends, cementing the need for recommendations, such as the NIST Cybersecurity Framework.

While we are still processing the data, below are the technical details of our initial findings, including:

• Sources of the Data
• Details about the Dump File
• Data Freshness
• Discoveries regarding Credential Stuffing and Password Reuse

Source of the Data

The dump includes a file called “imported.log” with 256 corpuses listed, including and with added data from all those in the Exploit.in and Anti Public dumps as well as 133 addition or new breaches. Some examples of the breaches listed the file we found:

 

Last breaches added to the database

About the Dump File

The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.

There is not indication of the author of the database and tools, although Bitcoin and Dogecoin wallets are included for donation.

The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches.

 

Data is fragmented and sorted in two and three level directories

The dump includes search tools and insert scripts explained in a README file.

Freshness

We’ve found that although the majority of these breaches are known within the Breach and Hacker community, 14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.

We compared the data with the combination of two larger clear text exposures, aggregating the data from Exploit.in and Anti Public. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.

 

Data comparison with Exploit.in and Anti Public breaches

Credential Stuffing and Password Reuse

Since the data is alphabetically organized, the massive problem of password reuse — — same or very similar passwords for different accounts — — appears constantly and is easily detectable.

A couple of the constant examples of password reuse that can be found:

 

password reuse examples discovered

And how password patterns changes over time:

 

password patterns discovered

Top Passwords

The list of top 40 Passwords and volume found:

 

More Analysis, Stay Tuned

This experience of searching and finding passwords within this database is as scary as it is shocking. Almost all of the users we’ve checked have verified the passwords we found were true. Most reactions were

“but that’s an old password…”

commonly followed by an

“Oh my god! I still use that password in <this> site…”

a few seconds later.

4iQ’s mission is to protect your digital identity in the new data breach era by scanning the surface, social and deep and dark web.

We will be following up with more information soon and will provide solutions to protect consumers and companies from this and other alarming exposures.

11

 

 

 

UPDATE

Here's how to see of you've been effected without going out and finding the database

 

 

 

You can use Troy Hunt’s https://haveibeenpwned.com/Passwords where you can type a password and verify if it is exposed in his compilation of 320M passwords.

 

We are happy to send exposed passwords (truncated) to you.

 

If you write us an email to verification@4iq.com with subject line: Password Exposure Check we will respond with the truncated list of found passwords for that email. Of course we will only report the passwords related to the specific email from which you write us. So if you want to verify different emails you will have to send an email from each of them.

 

We would appreciate help in verifying the authenticity of the data. Once you get our reply from verification@4iq.com, be sure to reset your passwords and for those that are no longer in use, let us know if the truncated password is correct — we will publish statistics on these findings.

[Sir Asvald]

God Damn it. PEOPLE STOP USING P@SSWORD.. 

 

including me... 

[Ginger_]

Brb, have to download a file. 

 

For real though, while I'm not surprised this exists, it still doesn't change the fact that it's a bit scary it exists

[Bananasplit_00]

What the hell, how are people so stupid as to use these shitty passwords? That's just asking for getting screwed... 

[mynameisjuan]

34 minutes ago, Bananasplit_00 said:

What the hell, how are people so stupid as to use these shitty passwords? That's just asking for getting screwed... 

Well in this case a very good password is in plain view so doesnt matter either way. 

[Bananasplit_00]

Just now, mynameisjuan said:

Well in this case a very good password is in plain view so doesnt matter either way. 

im mostly refering to the statistics, how the most used password is "password"... thats just out right stupid, anyone should be able to get that its a shitty choice

[mynameisjuan]

1 minute ago, Bananasplit_00 said:

im mostly refering to the statistics, how the most used password is "password"... thats just out right stupid, anyone should be able to get that its a shitty choice

no shit "password" is a bad password. I am surprised that you think people would have learned over the years. 

[Silentprototipe]

[ignaloidas]

For anyone looking at the "password" and loosing faith to the humanity - it's only  0.6%. top 5 sums up to only 1.1824% #ididthemath So calm down, people aren't that stupid

Edited January 8, 2018 by ignaloidas
I did the math

[mynameisjuan]

17 minutes ago, ignaloidas said:

people aren't that stupid

Thats a bold statement cotton

[Nicnac]

monkey and dragon are my favourites.

 

Also, is this list searchable? so you can check for usernames you use?

[FirstArmada]

39 minutes ago, Nicnac said:

monkey and dragon are my favourites.

 

Also, is this list searchable? so you can check for usernames you use?

 

It is quite easy to find aswell, if you know where to look that is

[onlybuilt4cubanxlinx]

I'd only care to search it for my own pw's and usernames. 

[Crunchy Dragon]

1 hour ago, Nicnac said:

monkey and dragon are my favourites.

 

Also, is this list searchable? so you can check for usernames you use?

Ctrl+F should work

[bcredeur97]

it's completely worth it for someone to buy say, 6 high end gpu's and get through that list in only a couple hours if their goal of cracking x password means the gain outweighs the cost.


Make sure you aren't in the list, people.

[Nicnac]

40 minutes ago, Crunchy Dragon said:

Ctrl+F should work

dunno if u jk ... I mean is the full list published somewhere so people can check if they are affected?

[Crunchy Dragon]

6 minutes ago, Nicnac said:

dunno if u jk ... I mean is the full list published somewhere so people can check if they are affected?

You can download it to check

[Nicnac]

1 minute ago, Crunchy Dragon said:

You can download it to check

But whe-herrrr

[Crunchy Dragon]

Just now, Nicnac said:

But whe-herrrr

I'm sure it's not hard to find via google

[Nicnac]

1 minute ago, Crunchy Dragon said:

I'm sure it's not hard to find via google

Found it in the update section of the source link that sneaky op has cleverly hidden from me  

[Guest]

I'm not surprised by 39 of the top 40 passwords, but how the heck is homelesspa one of them?!?!

What I find most concerning with this is that its easy to look at particular user's password patterns. (For example one user may use GooglePassword then LTTPassword, and if they updated their pattern and one site was breached, it makes it pretty easy for someone to guess another sites password.) Granted a user shouldn't use a pattern for their passwords, but you know its common. (At least when they arn't outright reusing the same one)

[GirvanaWantsBinnieBalls]

Welp... time to change from ''password'' to ''112233''... 

people will never guess it hehehe

[FirstArmada]

UPDATE

Here's how to see of you've been effected without going out and finding the database

 

 

 

You can use Troy Hunt’s https://haveibeenpwned.com/Passwords where you can type a password and verify if it is exposed in his compilation of 320M passwords.

 

We are happy to send exposed passwords (truncated) to you.

 

If you write us an email to verification@4iq.com with subject line: Password Exposure Check we will respond with the truncated list of found passwords for that email. Of course we will only report the passwords related to the specific email from which you write us. So if you want to verify different emails you will have to send an email from each of them.

 

We would appreciate help in verifying the authenticity of the data. Once you get our reply from verification@4iq.com, be sure to reset your passwords and for those that are no longer in use, let us know if the truncated password is correct — we will publish statistics on these findings.

[Matu20]

I used a simple password for years, just because I thought I would not get hit. Guess people underestimate their chances of getting pwned.