There have been numerous high-profile breaches involving popular websites and online services in recent years, and it’s very likely that some of your accounts have been impacted. It’s also likely that your credentials are listed in a massive file that’s floating around the Dark Web.
Security researchers at 4iQ spend their days monitoring various Dark Web sites, hacker forums, and online black markets for leaked and stolen data. Their most recent find: a 41-gigabyte file that contains a staggering 1.4 billion username and password combinations. The sheer volume of records is frightening enough, but there’s more.
All of the records are in plain text. 4iQ notes that around 14% of the passwords — nearly 200 million — included had not been circulated in the clear. All the resource-intensive decryption has already been done with this particular file, however. Anyone who wants to can simply open it up, do a quick search, and start trying to log into other people’s accounts.
Everything is neatly organized and alphabetized, too, so it’s ready for would-be hackers to pump into so-called “credential stuffing” apps
Where did the 1.4 billion records come from? The data is not from a single incident. The usernames and passwords have been collected from a number of different sources. 4iQ’s screenshot shows dumps from Netflix, Last.FM, LinkedIn, MySpace, dating site Zoosk, adult website YouPorn, as well as popular games like Minecraft and Runescape.
Some of these breaches happened quite a while ago and the stolen or leaked passwords have been circulating for some time. That doesn’t make the data any less useful to cybercriminals. Because people tend to re-use their passwords — and because many don’t react quickly to breach notifications — a good number of these credentials are likely to still be valid. If not on the site that was originally compromised, then at another one where the same person created an account.
Part of the problem is that we often treat online accounts “throwaways.” We create them without giving much thought to how an attacker could use information in that account — which we don’t care about — to comprise one that we do care about. In this day and age, we can’t afford to do that. We need to prepare for the worst every time we sign up for another service or site.