Slashdot Mirror

← Back to Stories (view on slashdot.org)

Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com)

Posted by BeauHD on from the lost-and-found dept.

YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.

72 comments

  1. Good by Anonymous Coward · · Score: 0

    maybe now people will take OTP more seriously, if not finding it is good anyway to force resets

    but maybe say the fucking source of the breach or the domains included

  2. Where? by Spazmania · · Score: 5, Insightful

    Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Where? by rainer_d · · Score: 1

      Yep. I agree.
      I also want to check for accounts of my co-workers.

      Fun fact: Found one co-worker in the Ashley Maddison dump. He's now hooked up with a female co-worker and is divorcing his wife.

      --
      Windows 2000 - from the guys who brought us edlin
    2. Re:Where? by Anonymous Coward · · Score: 0

      Yep. I agree.
      I also want to check for accounts of my co-workers.

      Fun fact: Found one co-worker in the Ashley Maddison dump. He's now hooked up with a female co-worker and is divorcing his wife.

      Do you normally worry so much about things that don't concern you?

      You're not a post-menopausal woman, are you? They're famous for gossip you know. The majority of them get more and more petty and small-minded with age. It makes sense really. They got all flabby and out of shape, then they cropped their hair short - now their hubby lost interest (we often call this "erectile dysfunction" because it sells pills). Any children they have grew up and left home so their nest is empty. They're likely retired so no career anymore. In short, they have no lives of any kind of substance. So suddenly, the mundane minutia of other peoples' lives seems so very interesting to them.

      Is that you?

    3. Re:Where? by Ex-MislTech · · Score: 1

      Yes and No.

      there will be lame passwords, but some of this might be the fact that most firmware is backdoored.

      https://www.google.com/search?...

      --
      google "32 trillion offshore needs IRS attention"
    4. Re:Where? by Anonymous Coward · · Score: 0

      7ffbcd8cee06aba2ce6561688cf68ce2addca0a3

    5. Re:Where? by shm · · Score: 1

      A magnet link was posted on reddit last week in the /r/pwned subreddit.

    6. Re:Where? by Anonymous Coward · · Score: 0

      Pot meet kettle.

    7. Re: Where? by Anonymous Coward · · Score: 0

      Is bitorrent considered "the dark web" these days?

    8. Re: Where? by Anonymous Coward · · Score: 0

      His wife hadn't put out in years... Ashley Maddison is all bots, with a few hooked mixed in

  3. All you need to know is by Anonymous Coward · · Score: 0

    Bond
    James Bond

    1. Re:All you need to know is by Sarten-X · · Score: 1

      I've used that on isolated systems before, in days long gone by. Now, many login systems recognize that the username and password partially match, and it rejects the pair.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  4. Let me the first to say by Anonymous Coward · · Score: 0

    Thanks, Equifax!

  5. Sheesh by Anonymous Coward · · Score: 1

    It would be really nice if things like this were posted and searchable...after all, the information's compromised and it would nice to be able to find out if your stuff was out there floating around in the wild...otherwise, thanks for the pointless and useless alarmism and giving me one more thing to worry about.

    1. Re:Sheesh by Sarten-X · · Score: 5, Informative

      The best I know of is https://haveibeenpwned.com/. You can search for a single email address, or set up monitoring for your domains.

      If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Sheesh by Anonymous Coward · · Score: 0

      Hey, thanks for the info!

    3. Re:Sheesh by fustakrakich · · Score: 0

      Searching for yourself only draws more attention. Each query is added to the database. Google picks up on those things when they scrape the site. Suddenly your name is everywhere in every search engine.

      --
      “He’s not deformed, he’s just drunk!”
    4. Re: Sheesh by Anonymous Coward · · Score: 0

      Download the torrent and find out... it's only ~50gb. HEH

      See a comment near top for the torrent magnet ID

    5. Re:Sheesh by Anonymous Coward · · Score: 0

      One could automate "searches" for randomly generated names, which would serve to seed the database with incredible numbers of non-existent people. And for that matter, I wonder if there is a way to seed the database with trillions of incorrect username/password combinations.

    6. Re:Sheesh by Anonymous Coward · · Score: 0

      here is the magnet link for the torrent:

      magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

    7. Re:Sheesh by SlaveToTheGrind · · Score: 3, Interesting

      Searching for yourself only draws more attention. Each query is added to the database. Google picks up on those things when they scrape the site. Suddenly your name is everywhere in every search engine.

      Um, yeah. They just may have thought of that one. Here's the robots.txt:

      User-agent: *
      Sitemap: https://haveibeenpwned.com/sit...
      Disallow: /Account/*
      Disallow: /account/*
      Disallow: /Verify/*
      Disallow: /verify/*
      Disallow: /HowFastIsAzureTableStorage/*
      Disallow: /DomainSearch/*
      Allow: /DomainSearch/$

    8. Re:Sheesh by Anonymous Coward · · Score: 0

      Yeah, right! Like Google respects that shit... Pull the other one.

      Have to post AC, because mods don't like the truth, as usual.

    9. Re:Sheesh by Sarten-X · · Score: 1

      You could also look at Troy Hunt's FAQ and blog, where he specifically states that there is no record of searches on the site (beyond server crash logs and non-scraping analytics), but that would require actually trusting a well-respected infosec expert.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    10. Re:Sheesh by Anonymous Coward · · Score: 0

      > [haveibeenpwned.com]. You can search for a single email address

      Does it support partials, like just usernames, or wildcards?

    11. Re:Sheesh by Sarten-X · · Score: 1

      It does usernames, but no wildcards.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    12. Re:Sheesh by Anonymous Coward · · Score: 0

      that would require actually trusting

      Well, that's the rub, isn't it? Trust is nice, but worthless without the ability to verify. Nobody on the outside knows what people have in their basements scraping and harvesting the internet. So, sorry, trust is off the table. You should always assume the worst. The *man in the middle* knows everything.

  6. My Password is still good though? by Major_Disorder · · Score: 0

    P@ssw0rd1 is still a good password, right?
    Actually I use long randomly generated passwords, and KeePass2

    --
    First law of people: People are generally stupid.
    1. Re:My Password is still good though? by AutodidactLabrat · · Score: 1

      Great...until you're at work and can't install the code, even the portable.
      So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?

    2. Re:My Password is still good though? by muphin · · Score: 1

      wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.

      --
      It's not a typo if you understood the meaning!
    3. Re:My Password is still good though? by Major_Disorder · · Score: 1

      Great...until you're at work and can't install the code, even the portable. So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?

      I can always install the software.

      --
      First law of people: People are generally stupid.
    4. Re: My Password is still good though? by Anonymous Coward · · Score: 0

      You don't. You don't trade security for convenience. Much less if you can't use the right tools.
      Trust me, world does not end if you don't check site xyz until you are at home.

      Lastly, you can install KPX in your phone, and check that appointment drom there. Bonus point for not using your company's device for personal activities.

      You could even synchronize dbs with your desktop via a simple nextcloud deployment. You creativity starts here.

    5. Re:My Password is still good though? by Major_Disorder · · Score: 1

      wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.

      That would be why you never, ever reuse a password.

      --
      First law of people: People are generally stupid.
    6. Re:My Password is still good though? by AutodidactLabrat · · Score: 1

      I can always install the software.

      Good for you.
      For most of us working stiffs the drones (IT pros) have monitors all over the user machines either forbidding access to install anything or, better still, monitoring and reporting any "unauthorized" executable code followed by disconnect from intranets and therefore Internet making work impossible until a dressing down by idiot drones who will not take time to validate code behavior on open source.

    7. Re: My Password is still good though? by Anonymous Coward · · Score: 0

      Use your phone instead of making up edge cases, idiot

    8. Re: My Password is still good though? by Anonymous Coward · · Score: 0

      You don't. You don't trade security for convenience. Much less if you can't use the right tools.
      Trust me, world does not end if you don't check site xyz until you are at home.

      Lastly, you can install KPX in your phone, and check that appointment drom there. Bonus point for not using your company's device for personal activities.

      You could even synchronize dbs with your desktop via a simple nextcloud deployment. You creativity starts here.

      You really expect him to accept that limitations are there for a reason? Then you have the gall, the unmitigated audacity to suggest he perform some THINKING, my God man, maybe even some REASONING and engage in creative problem-solving on a level that's well within his reach? Without a boss, professor, or some authority requiring it??

      You're not American, are you?

    9. Re:My Password is still good though? by toonces33 · · Score: 1

      I have PasswordSafe installed on my phone, and together with the Yubikey I can access my passwords whenever I like.

    10. Re:My Password is still good though? by Agret · · Score: 3, Informative

      I have a copy of my database on my phone. I use Keepass2Android and this USB keyboard plugin - https://play.google.com/store/... It makes it so you can plug your phone into the computer and it will be detected as a USB keyboard and then auto type your passwords in for you, no software required on any computer and no chance of your database being compromised on an untrusted PC.

      --
      Have you metaroderated recently?
    11. Re: My Password is still good though? by Anonymous Coward · · Score: 0

      So can I.

    12. Re:My Password is still good though? by AutodidactLabrat · · Score: 1

      Fairly awesome!
      Little bit cumbersome, but hey, whatever works

    13. Re:My Password is still good though? by Anonymous Coward · · Score: 0

      You don't actually need the 1 because it is already secure with the 0.

      Hope I saved you some bytes.

  7. Great! by king+neckbeard · · Score: 5, Funny

    Maybe now I can get back into some accounts I lost the password for.

    --
    This is my signature. There are many like it, but this one is mine.
    1. Re: Great! by Anonymous Coward · · Score: 0

      Like my 4 digit slashdot account. jk

    2. Re: Great! by WillAffleckUW · · Score: 1

      Actually, I do have that problem. Sigh.

      --
      -- Tigger warning: This post may contain tiggers! --
    3. Re:Great! by cdxta · · Score: 1

      The only account I have lost access to was because suddenly one day the site decided my computer was a new device. The site required me to enter the verification code they emailed to my CompuServe address. Nothing of value was lost though, it was my Yahoo account.

    4. Re: Great! by 140Mandak262Jamuna · · Score: 1

      me too. I mourn loss of that password than most bitcoin buyers who forgot the keys for their wallets.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    5. Re: Great! by Anonymous Coward · · Score: 0

      Me too, but I stopped mourning when slashdot ceased to be relevant and a pseudonymous record of your opinions became a liability.

  8. where is the list? by Anonymous Coward · · Score: 0

    I'd like to know if I need to change any of my credentials. thanks OP.

    1. Re:where is the list? by Anne+Thwacks · · Score: 1

      Please sir, can I change my date of birth and my mother's maiden name?

      --
      Sent from my ASR33 using ASCII
    2. Re: where is the list? by Anonymous Coward · · Score: 1

      I changed your mothers maiden status

    3. Re:where is the list? by Anonymous Coward · · Score: 0

      Third door on the left, after New Fingers, and New Face. If you see "New Eyes" you've gone to far.

    4. Re:where is the list? by Anonymous Coward · · Score: 0

      If you see "New Eyes" you've gone to far.

      I've never been to a place by that name. Where is this Far located?

  9. Ha, "scanning the darkweb" by DatbeDank · · Score: 1

    I love hearing about FUD like this making it seem like his firm has something special about it when it's just a guy using the same tools anyone else has to pose as a hacker in those dark net communities.

    TL;DR: regularly change your passwords and use different passwords for email, banking, etc.

    1. Re:Ha, "scanning the darkweb" by Altrag · · Score: 1

      "Anyone else" typically does not have such tools. While the tools may well be "freely" accessible, they don't typically make them easy to find by people who aren't already in the in-group. Too much exposure to the public is inherently bad for criminal types as it tends to draw law enforcement much quicker.

  10. The Dark Web by Anonymous Coward · · Score: 0

    I don't see why we don't just shut down the dark web entirely. I mean it sounds like the only people who would use it are criminals.

    Wait, that's not what the dark web is? It's just any server not otherwise linked to the internet that contains illicit information and that you can only find if you already know where to look? Maybe it needs a better name so that people can no longer claim to "scan" it.

  11. Anyone have the torrent by i286NiNJA · · Score: 1

    Sources all over the web indicate there is a torrent. But thankfully they're being responsible and not publicly linking to this database that's been freely available to bad guys for days.

    If anyone could link me it'd be great thanks.

    1. Re:Anyone have the torrent by Anonymous Coward · · Score: 0

      Sources all over the web indicate there is a torrent. But thankfully they're being responsible and not publicly linking to this database that's been freely available to bad guys for days.

      Yes, bad guys. Those morally unambiguous bad guys.

    2. Re: Anyone have the torrent by Anonymous Coward · · Score: 0

      "But unfortunately they're being irresponsible and not publicly linking to this database that's been freely available to bad guys for days."

      FTFY!!

    3. Re:Anyone have the torrent by Anonymous Coward · · Score: 0

      https://www.reddit.com/r/pwned/comments/7hhqfo/combination_of_many_breaches/ Looks like this is the source, but 'some random person on reddit' isn't as headline grabbing as 'the dark web'

  12. What good will... by Anonymous Coward · · Score: 0

    ...a one time pad do here?

    1. Re:What good will... by Anonymous Coward · · Score: 0

      ...a one time pad do here?

      Well you see, when your mother has her period she bleeds all over this pad, thick very clotty blood darker than normal. It takes a brave, brave man to eat her out at this time. Naturally no one wants to re-use this same pad again thus it is a One Time Pad. With wings!

  13. MySpace by painandgreed · · Score: 2

    I read TFA. It has a list of the top 40 passwords. Seeing how two of those passwords are "myspace" and "homelesspa" (which was apparently a default password for a bot making fake MySpace accounts from what I can google in a few minutes), I'd say a sizable amount if not all are from a MySpace database leak. Over one million accounts just between those two passwords and they aren't even in the top ten. Not sure how the bell curve on bad passwords reads in telling us what percentage the myspace group would be if 1 million of the 13th and 28th most common passwords out of 1.4 billion of the total database.

  14. What!! by Anonymous Coward · · Score: 0

    That's amazing. I got the same Combination on my Luggage!

  15. I have found my email by Anonymous Coward · · Score: 0

    Fortunately the email listed has a very, very, very old password. I changed its password many times in the last 8 years.

    1. Re:I have found my email by Anonymous Coward · · Score: 0

      It's ok as long as you didn't just put a few incremental numbers on the end or change one or two of the characters to change the password

  16. fail by Anonymous Coward · · Score: 0

    this has been on the clearnet for awhile as a torrent

  17. Pssh, I have a file with over 2 billion passwords by Anonymous Coward · · Score: 0

    Sure, every one is âpasswordâ(TM) but they all get you into something different.

  18. monkey and dragon? by v1 · · Score: 1

    Those seem to be the only actual common words (ignoring "password")... I wonder why those two are so common? Are they used in a movie?

    --
    I work for the Department of Redundancy Department.
    1. Re:monkey and dragon? by Anonymous Coward · · Score: 0

      China

    2. Re:monkey and dragon? by Anonymous Coward · · Score: 0

      Chinese years

  19. 99.6% Old Credentials by bengoerz · · Score: 2

    According to Troy Hunt, 99.6% of this list is already in HaveIBeenPwned.

  20. Where's the database? by wardrich86 · · Score: 1

    So where is this database? It would be nice to know if any of my passwords are on it...