773 million e-mail addresses, 21 million passwords …
A file containing over 12,000 files containing nearly 773 million email addresses and over 21 million unique passwords from numerous previous data breaches – some potentially dating back to 2008 – has been uploaded in a another massive credential leak.
Security researcher Troy Hunt discovered 87 GB worth of data on the Mega cloud storage service last week and uploaded it to his Have i been condemned (HIBP), where individuals can check if their email addresses are on the list. The leaked passwords, meanwhile, were posted on Pwned passwords, a site that Hunt maintains to allow people to check if their passwords have been exposed to data breaches.
Some 140 million email addresses and about half of the passwords just disclosed are new, meaning the data has yet to be posted on HIBP or the Compromised Passwords site. . With the new data, Pwned Passwords now contains over half a billion leaked passwords.
In one Blog On Thursday, Hunt described the file he discovered on Mega as containing data from what appears to be more than 2,000 previously breached and destroyed databases. The data appears to have originated from breaches between 2008 and 2015. But it’s possible that at least some of the leaked data was not involved in a data breach at all, Hunt said.
It is not known who was able to compile the list of breached databases and put them in the file that was leaked on Mega. Attackers typically use such datasets to conduct automated “credential stuffing” attacks where they attempt to break into corporate accounts using previously combined email and password data. compromised.
The file on Mega has since been deleted. But, according to Hunt, the data is currently being offered for sale in a popular hacker forum. Hunt calls the “Collection # 1” violation after the name given to the root folder containing the files.
The collection # 1 violation is one of the most significant involving passwords and email addresses. Other equally massive compromises include a recently to Marriott International, in which 380 million records were exposed; several breaches Yahoo, which ended up exposing its 3 billion user accounts; and one to Finding Adult Friends, which impacted 412 million accounts.
Such violations repeatedly underscore the weakness of password-only account protection models and the need for strong authentication mechanisms. A new report from MarketsandMarkets shows concerns about data breaches and regulations driving demand for multi-factor authentication technologies. The market for these tools and services is expected to grow by more than 15.5% per year over the next few years to reach $ 12 billion by 2022, according to the analyst firm.
Uniken CEO Bimal Gandhi says credential leaks pose a multi-faceted threat to organizations. The fact that people often reuse passwords on personal and work accounts exposes organizations to attacks even if their own sites and user credentials have not been compromised.
“An attacker can replay your customers’ known credentials from other sites against you on the reasonable chance that those credentials will also allow them to access your applications,” Gandhi said. Attackers have a wide range of methods to attack organizations via mobile and browser using the collected credentials, he says.
Credentials are also invaluable for phishing, says Tim Erlin, vice president of product management and strategy at Tripwire. There has been a recent increase in the use of compromised credentials in email extortion attempts, he says.
The fact that at least some of the leaked credentials are old makes them relatively less threatening to organizations that regularly change passwords. But the potential for abuse shouldn’t be underestimated, Erlin says. “People often change their personal passwords much less frequently than corporate IDs, which means there may very well be valid data,” he added.
Jai Vijayan is a seasoned technology journalist with over 20 years of experience in IT business journalism. He was most recently an editor at Computerworld, where he covered information security and data privacy issues for publication. During his 20 years … See the full bio