A database has been discovered on the dark web containing 1.4 billion unencrypted username and password combinations.
A 41GB file was found on the dark web and is a fully loaded database containing the information needed to compromise an account. This is considered the largest database ever to be on the dark web, and can be used for targeted attacks.
With the quantity of information on the database, attacks can be tailored with specific information to create realistic, personalised attack campaigns like targeted phishing attacks.
The most worrying part of this database is the vast amount of seemingly inconsequential data that has been collected together and can be used to create an effective phishing campaign, tailored to a precise individual. If they can get your information correct, trust is easy to build with a recipient.
The 41GB of data is organised alphabetically, and shows password trends, repetitions, and reuse. As people have the bad habit of reusing passwords across email, social media, e-commerce, banking and work accounts, it makes it so easy for accounts to be hijacked or taken over.
All the data is in one easy to find, downloadable, and searchable database, where you can easily find a name, address and DOB. This combined with social engineering or even your password combinations could lead to sensitive or financial data being compromised.
All the data is from various sources, data breaches, and stolen credential lists, including data dumps from LinkedIn, MySpace, Netflix, Bitcoin, Pastebin, Last.FM, Zoosk, YouPorn, Badoo, RedBox, Minecraft, and Runescape.
Mark James, ESET IT Security Specialist, discusses this immense database and his concerns about password reuse, or easy to guess passwords.
“The idea of all our stolen or breached data being collated into an easy to search, super database for anyone with the required access to view should be shocking, but sadly it is not.
“With one of our biggest failings being password reuse, it makes perfect sense for bad actors to collate all of this data for later use.
“With so many online accounts owned by each of us it may be quite hard to determine what accounts we have, and forgotten about, and which ones contain data.
“With each breach that happens the data that’s stolen may show patterns and trends in our password practices.
“If we are forced to change passwords regularly it may show our thought processes that could enable an attacker to utilise that data for later attacks.
“One of the concerns as always is the amount of simple and common passwords that are commonly used: “123456”, “password” and “qwerty” showing up, and should simply never ever be used in any circumstances.”
Does this make you think about how much of your private information is available online? Let us know on Twitter @ESETUK.