A dump of 1.4 billion passwords – clear text passwords available in an aggregated, interactive database – was recently discovered online by 4iQ. While it might sound like more of the same, a couple factors make this news both particularly concerning and sadly predictable.

Details of the Data

Here are a few details about what 4iQ discovered:

  • The 41GB dump was found on December 5, 2017 in an underground community forum.
  • The data is from several incidents and sources, including dumps from Netflix, Last.FM, LinkedIn, MySpace, and popular games like Minecraft and Runescape.
  • While some data was previously available online, 14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text.

Easy-to-Use Data

Particularly concerning is how easy this data is to use for any would-be hacker. 4iQ reports that the interactive database allows for fast (one-second response) searches and new breach imports. Given the fact that people reuse passwords, hackers can automate account hijacking or account takeover.

The increase in cybercrime-as-a-service – with kits and technical support available via online marketplaces – means that it doesn’t take a tech genius to do damage using hacked data.

This list of passwords is in one file, searchable, and unencrypted.

Passwords are Easy, Repetitive, and Reused

On the sadly predictable side, we’re making it pretty easy to guess our passwords. The prevalence of easy passwords indicates that, again, it wouldn’t take a tech genius to hack many online accounts.

The alphabetical list of passwords offers examples of trends in how people set passwords, reuse them, and create repetitive patterns over time.

The top five most-used passwords in the list were:

  • 123456
  • 123456789
  • qwerty
  • Password
  • 111111

Many people reuse passwords, so many of the exposed credentials are likely to still be valid.

Password Smarts and Account Checks

The biggest takeaway from this incident is the need to be smarter about passwords. We’ve posted recently about the latest thinking regarding passwords, but here are some reminders about the basics:

  • Create better passwords. 123456 is not an example of a smart password. Complex passwords are better, but they are hard to manage and remember. Consider using passphrases, or use a password manager.
  • Don’t reuse passwords. This practice multiplies the number of accounts at risk. Treat every account as critical, and create a unique password for each account.

Finally, take a moment to determine if your online accounts have been compromised. Troy Hunt’s Have I Been Pwned website makes it quick and easy to do this check, and you can even set up notifications. Click below to learn more about Teramind.

Insider Threat Detection