A huge database has been found on a hacking forum on the dark web, with 773 million unique addresses. The cache for the database holds 87GB of data and was being stored on the MEGA cloud service, although it has since been removed. Troy Hunt, an Australian web security expert known for public education and outreach on security topics, was alerted to the cache and began to investigate. Hunt found that there are 1.16 billion unique combinations of passwords and email addresses listed.
The data on the database hasn’t come from just one source but instead has been compiled from thousands of data breaches. Hunt recognized data from a few previous breaches, but there was also a lot of data he didn’t recognize, including 140 million email addresses that have no been identified as part of previous breaches.
“This gives you a sense of the origins of the data but again, I need to stress ‘allegedly,’” Hunt said. “I’ve written before about what’s involved in verifying data breaches and it’s often a non-trivial exercise…it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.”
Sergey Lozhkin, security expert at Kaspersky Lab said:
“This massive collection of data harvested through data breaches has been built up over a long period of time, so some of the account details are likely to be outdated now. However, it is no secret that despite growing awareness of the danger, people stick to the same passwords and even re-use them on multiple websites.”
The database was published on a popular and well-known hacker site on the dark web and was up for some time before Hunt was alerted to it. This means there is a high probability that hackers have attempted to use the data for nefarious means.
“In terms of the risk this presents, more people with the data obviously increases the likelihood that it’ll be used for malicious purposes,”
The hackers will most likely use the breached information for credential stuffing. Credential stuffing is a new form of attack to accomplish account takeover through automated web injection. Credential stuffing is related to the breaching of databases; both accomplish account takeover. Credential stuffing is an emerging threat.
“This collection can be easily be turned into a single list of emails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working. The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.”
This is a very real threat, a study done by Distil Research Lab found that when credentials from a data breach have been made publicly available, websites experience a 300 percent increase in volumetric attacks.