In-depth

Breach site finds 1 billion accounts in hacked datasets

The databases contain email and password pairs from various past data breaches

The security conscious among you will be acutely aware of the dangers of password reuse, but the discovery of over 1 billion emails and passwords for sale on the dark web, some of which is more than 10 years old, has highlighted not only the scale of the problem, but the issue of retrofitting passwords.

Advertisement - Article continues below

Breach notification service Have I Been Pwned? (HIBP) has discovered troves of user credentials either being sold on hacking websites, or publicly available on data hosting websites.

This hacked data was found in two separate "combo lists" - collections of email addresses and associated passwords that have been scalped from various data breaches and leaks. It is thought that these lists were created as recently as late 2016.

One list, known as the "Anti Public Combo List", contains 457,962,538 distinct email addresses, and although HIBP creator Troy Hunt, who first reported the discovery of the lists last Friday, has so far been unable to trace the source of the data, he believes it comes from multiple breaches rather than a single event. 

Of HIBP's 1.1 million subscribers, who are notified if their email appears in a breach, more than 130,000 were found inside the Anti Public list, Hunt explained.

Advertisement
Advertisement - Article continues below

"I grabbed a handful of the ones who'd most recently signed up to the service and fired them off an email," said Hunt. "It was essentially 'hey, I've found your data online, can you help me verify if the password on file for you is correct'.

Advertisement - Article continues below

"I didn't know the site it originally came from nor did I have anything like their physical or IP address. But people were wiling to help regardless and I got a steady flow of confirmations."

It wasn't until the discovery of a second list, known as Exploit.In, that the full scale of the collection came to light. This list in particular caught Hunt's eye as it happened to include a familiar address:

"Dammit! This is indeed my email address and the password is indeed one I recall carelessly throwing at a bunch of forums back in the noughties somewhere," Hunt wrote.

This second list comes in at just over 24GB in size, holding a mass of email address and password pairs - a total of 593,427,119 unique addresses. What's more, only 222 million of these were also found in the Anti Public list, meaning 63% of the Exploit.In records were unique.

Advertisement - Article continues below

Some of these breached services are still active

Although it has been almost impossible to determine any sources of the data, Hunt explained to IT Pro that many of these services will still be active. What is concerning is that although many users were able to confirm the data was accurate, they also admitted they were heavily reused as standard account passwords, including on accounts that were more than likely forgotten about.

"My own data almost certainly came from a car forum I used to frequent and that's definitely still running," said Hunt. "But even if these services weren't (active), the mere presence of credentials that are reused across other services is what poses the risk."

Advertisement
Advertisement - Article continues below

What is also particularly concerning is that this list is currently sitting on a publicly accessible Russian file-hosting site, and copies have almost certainly been made.

My own email address was among those found in the database

Advertisement - Article continues below

The two lists alone amount to 1,051,389,657 unique entries - increasing the size of the entire HBIP data set by almost 40%. Hunt has even said that the site's current subscription to Microsoft Azure will need to be expanded to host all that extra data.

Black market data sales

'Combo lists' of this kind are often sold on black market websites, which spike in activity around the time of a major hack. In the case of the Anti Public list, 'private combos' were also found, offering tiered prices for email and password pairs, as little as $5 for 10,000; up to $70 for 210,000.

Buyers will then take this data and attempt to break into accounts on "totally unrelated websites", according to Hunt. Often passwords are 'hashed' with very flimsy layers of protection, which once cracked offer plain text passwords. These are then loaded into an automated hacking tool that pumps email address and password combos into a website until it scores a hit, known as 'credential stuffing'.

Advertisement - Article continues below

This is an incredibly efficient method - there are many cheap, premade tools for hire on the web, and for the targeted site, it is almost impossible to prevent.

The best thing we can do to prevent these lists is use a password manager. These tools are able to generate unique passwords for websites and forms, auto-filling fields from a vault stored in the cloud - effectively neutering the potential danger of a leaked data set.

"As fallible humans, we reuse passwords," Hunt said. "We've all done it at one time or another and whilst I hope that by virtue of you being here reading security stuff you've got yourself a good password manager, we've all got skeletons in our closets."

The full report can be read here.

Body copy pictures courtesy of Troy Hunt (blog)

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020