Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.
The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.
It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:
“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”
The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.
What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.
If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit. See What You Should Know About Passwords.