Slashdot Mirror
Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web (itworldcanada.com)
YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls "an aggregated, interactive database that allows for fast (one second response) searches and new breach imports." For example, searching for "admin," "administrator" and "root" returned 226,631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1,400,553,869.
Where can we get the file? NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Maybe now I can get back into some accounts I lost the password for.
This is my signature. There are many like it, but this one is mine.
The best I know of is https://haveibeenpwned.com/. You can search for a single email address, or set up monitoring for your domains.
If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.
You do not have a moral or legal right to do absolutely anything you want.
I read TFA. It has a list of the top 40 passwords. Seeing how two of those passwords are "myspace" and "homelesspa" (which was apparently a default password for a bot making fake MySpace accounts from what I can google in a few minutes), I'd say a sizable amount if not all are from a MySpace database leak. Over one million accounts just between those two passwords and they aren't even in the top ten. Not sure how the bell curve on bad passwords reads in telling us what percentage the myspace group would be if 1 million of the 13th and 28th most common passwords out of 1.4 billion of the total database.
Searching for yourself only draws more attention. Each query is added to the database. Google picks up on those things when they scrape the site. Suddenly your name is everywhere in every search engine.
Um, yeah. They just may have thought of that one. Here's the robots.txt:
User-agent: * /Account/* /account/* /Verify/* /verify/* /HowFastIsAzureTableStorage/* /DomainSearch/* /DomainSearch/$
Sitemap: https://haveibeenpwned.com/sit...
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
Disallow:
Allow:
I have a copy of my database on my phone. I use Keepass2Android and this USB keyboard plugin - https://play.google.com/store/... It makes it so you can plug your phone into the computer and it will be detected as a USB keyboard and then auto type your passwords in for you, no software required on any computer and no chance of your database being compromised on an untrusted PC.
Have you metaroderated recently?
According to Troy Hunt, 99.6% of this list is already in HaveIBeenPwned.