Slashdot Mirror
Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com)
YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
It would be really nice if things like this were posted and searchable...after all, the information's compromised and it would nice to be able to find out if your stuff was out there floating around in the wild...otherwise, thanks for the pointless and useless alarmism and giving me one more thing to worry about.
Maybe now I can get back into some accounts I lost the password for.
This is my signature. There are many like it, but this one is mine.
I've used that on isolated systems before, in days long gone by. Now, many login systems recognize that the username and password partially match, and it rejects the pair.
You do not have a moral or legal right to do absolutely anything you want.
I love hearing about FUD like this making it seem like his firm has something special about it when it's just a guy using the same tools anyone else has to pose as a hacker in those dark net communities.
TL;DR: regularly change your passwords and use different passwords for email, banking, etc.
Please sir, can I change my date of birth and my mother's maiden name?
Sent from my ASR33 using ASCII
Sources all over the web indicate there is a torrent. But thankfully they're being responsible and not publicly linking to this database that's been freely available to bad guys for days.
If anyone could link me it'd be great thanks.
I changed your mothers maiden status
Great...until you're at work and can't install the code, even the portable.
So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?
wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.
It's not a typo if you understood the meaning!
Great...until you're at work and can't install the code, even the portable. So how are you going to check your car appointment with passwords you can't possibly remember, being 32 characters as random as possible?
I can always install the software.
First law of people: People are generally stupid.
wouldnt matter what your password is if the database holding it, is saved in plaintext or easily decryptable.
That would be why you never, ever reuse a password.
First law of people: People are generally stupid.
Good for you.
For most of us working stiffs the drones (IT pros) have monitors all over the user machines either forbidding access to install anything or, better still, monitoring and reporting any "unauthorized" executable code followed by disconnect from intranets and therefore Internet making work impossible until a dressing down by idiot drones who will not take time to validate code behavior on open source.
I read TFA. It has a list of the top 40 passwords. Seeing how two of those passwords are "myspace" and "homelesspa" (which was apparently a default password for a bot making fake MySpace accounts from what I can google in a few minutes), I'd say a sizable amount if not all are from a MySpace database leak. Over one million accounts just between those two passwords and they aren't even in the top ten. Not sure how the bell curve on bad passwords reads in telling us what percentage the myspace group would be if 1 million of the 13th and 28th most common passwords out of 1.4 billion of the total database.
I have PasswordSafe installed on my phone, and together with the Yubikey I can access my passwords whenever I like.
I have a copy of my database on my phone. I use Keepass2Android and this USB keyboard plugin - https://play.google.com/store/... It makes it so you can plug your phone into the computer and it will be detected as a USB keyboard and then auto type your passwords in for you, no software required on any computer and no chance of your database being compromised on an untrusted PC.
Have you metaroderated recently?
Those seem to be the only actual common words (ignoring "password")... I wonder why those two are so common? Are they used in a movie?
I work for the Department of Redundancy Department.
According to Troy Hunt, 99.6% of this list is already in HaveIBeenPwned.
So where is this database? It would be nice to know if any of my passwords are on it...
Fairly awesome!
Little bit cumbersome, but hey, whatever works