James Thew - Fotolia

Researchers find trove of 1.4 billion credentials

Security researchers have discovered what is believed to be the largest aggregate database found in the dark web to date, prompting fresh calls for improved identity management

Dark web monitoring firm 4iQ has discovered a 41GB data file containing 1.4 billion login credentials, including emails and passwords in clear text format.

The credential cache, collected from various sources and breaches, is believed to be the largest of its type, surpassing the 711 million email account credentials discovered in August 2017.

The passwords are believed to come from credential lists such as Anti Public, Exploit.in, as well as dumps from breaches at LinkedIn, MySpace, Netflix, Bitcoin, Pastebin, Last.FM, Zoosk, YouPorn, Badoo, RedBox, Minecraft and Runescape.

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” 4iQ wrote in a blog post.

According to the researchers, they have uncovered an “aggregated, interactive database” that allows for fast (one-second response) searches and new breach imports.

“Given the fact that people re-use passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover,” said 4iQ.

According to researchers, the database makes finding passwords faster and easier “than ever before” for malicious actors, with a search for “admin”, “administrator” and “root” delivering 226,631 passwords used by administrators in seconds.

Although the majority of the breaches are known within the breach and hacker community, 4iQ said 14% of exposed credentials had not previously been decrypted by the community and were now available in clear text.

According to the researchers, the database was discovered on 5 December in an underground community forum and was last updated on 29 November, but it is unclear who is responsible for the database.

Read more about password security

“This new breach adds 385 million new credential pairs, 318 million unique users and 147 million passwords pertaining to those previous dumps,” said 4iQ.

The database exposes the common tendency of people to re-use simple, easy-to-remember passwords across different platforms, such as “123456”, “123456789”, “qwerty”, and “password”.

Philip Lieberman, president of Lieberman Software, said the revelation of massive databases of credentials available on the dark web should concern regulators and governments about their lax policies on passwords, especially those used for elevated access. 

PCI DSS and other regulatory standards that only require administrator password changes every 90 days are out of touch with reality.  Similarly, the obsession with removing clear text passwords by auditors and analysts via obfuscation rather than technology improvements further cements the reality that current IT processes are out of step with the threats of today,” he said.

According to Lieberman, IT must undergo a revolution in identity management by turning over the manual management of identities and passwords to automated privileged identity management systems that can change passwords every few hours to remove any value for stolen credentials. 

“By adding an additional layer of multi-factor authentication over the top of ever-changing passwords, IT can achieve real security and destroy the value of these treasure troves of stolen credentials,” he said.

Read more on Hackers and cybercrime prevention