Dark web monitoring firm 4iQ discovered a massive trove of 41GB data file containing 1.4 billion login credentials including emails and passwords in clear-text format. Researchers believe it is the “largest aggregate database found in the dark web to date” beating the Onliner Spambot dump with 711 Million accounts following Exploit.in data dump in which 593 million accounts were exposed. In their blog post, researchers state that “This dump aggregates 252 previous breaches” meaning it is not a single breach but a combined list of login credentials complied by someone from previous data breaches including LinkedIn. The dump was discovered on a dark web forum on December 5, 2017 in which the total amount of data is 1,400,553,869 with usernames/emails and their clear text password. IT security experts are commented below.
Philip Lieberman, President of Lieberman Software:
“The revelation of massive databases of credentials available on the dark web should concern regulators and governments about their lax policies on passwords, especially those used for elevated access. PCI and other regulatory standards that only require administrator password changes every 90 days are out of touch with reality. Similarly, the obsession with removing clear text passwords by auditors and analysts via obfuscation rather than technology improvements, further cements the reality that current IT processes are out of step with the threats of today.
It is my belief that IT must undergo a revolution in identity management by turning over the manual management of identities and passwords to automated privileged identity management systems that can change passwords every few hours to remove any value for stolen credentials. By adding an additional layer of multi-factor authentication over the top of ever-changing passwords, IT can achieve real security and destroy the value of these treasure troves of stolen credentials. The reality of no credentials to steal or share exists today for some very large commercial and government agencies using our technology. For smaller organizations simply focused on minimal compliance, the long lifetime of their credentials and the manual management of them will plague them with large repeated losses coming from intrusions and the dark web sharing their stolen credentials.”
Michael Magrath, Director, Global Regulations & Standards at VASCO Data Security:
“The level of sophistication that cybercriminals bring to the dark web is unfathomable. Not only is stolen data aggregated, it has been catalogue and packaged so even novices to the Dark Web can easily search and acquire targeted data in similar fashion to a marketer renting a mailing list from a list broker targeting specific demographics.
“Organizations and individuals who were affected by the numerous data breaches over the past couple of years and have not taken action in terms of changing passwords, canceling debit and credit cards, requesting a freeze on their credit are rolling the dice that their data will not be compromised.
Our data is out there and now it is conveniently stored on the Dark Web in a gigantic searchable database for criminals to acquire. 1.4 billion credentials undoubtedly includes several duplicates so if you were unfortunate to be victimized by the Equifax, Target, Anthem breaches as examples, your information will likely be very comprehensive and sought after. If you did take action, you likely obtained a new credit card, but what about health records that can’t be changed?
“This is the exact reason why organizations cannot verify individuals via knowledge based verification (KBV) alone. KBV was under scrunity for some time, since questions typically presented online are obtainable via Internet searches such as “Your monthly mortgage is _______”.
“This aggregated treasure trove of stolen data also reminds us that we cannot rely on static passwords. As humans, we typically like convenience over security, and individuals commonly use the same password for multiple accounts. Verizon’s 2017 Data Breach Investigations Report cites that 81% of hacking-related breaches leveraged either stolen and/or weak passwords – and there they are in clear text, available to anyone on the Dark Web.
“Cybersecurity starts with identity, and protecting identities from theft is paramount. There are secure ways to verify identities and authenticate individuals accessing sensitive data. Technology companies have woken up to the fact that there needs to be a balance between convenience, usability and security. The industry has come a long way over the past few years offering a variety of frictionless authentication solutions that do not require users to remember complex static passwords, but instead to leverage integrated technologies in smartphones and other mobile devices such as facial recognition, fingerprint and adaptive authentication. Multi-factor authenticators are in integral part of a risk-based approach to cybersecurity. Perhaps 1.4 billion credentials will finally put the final nail in the password coffin.
“The time has come for federal and state governments to engage with industry to really drive change. The Identity Ecosystem Framework (IDEF) developed by IDESG as a deliverable in the National Strategy for Trusted Identities in Cyberspace provides a sound framework should be adopted to really have trusted identities in cyberspace.”
Satya Gupta, Founder and CTO at Virsec Systems:
“This is latest example of cybercrime getting organized, efficient, and widely available. It has become extremely easy for unsophisticated hackers to acquire credit cards, social security numbers, passwords, banking info, health records and much more. As this data becomes commoditized, it’s value does diminish, but of little comfort to consumer whose data is available to thousands of criminals. These dark web marketplaces are probably also funding more advanced, and stealthy attacks being designed against high-value corporate, government and infrastructure targets.”
John Gunn, CMO at VASCO Data Security:
“There have been so many breaches, and the complexity of creating and remembering passwords has become so great that passwords are now more effective at keeping legitimate users out of their own accounts than at stopping hackers. Biometrics, behavior analysis, and adaptive authentication are far more effective at stopping crime than passwords and they don’t place any burden on the user – this will quickly become the standard.”
.
Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc.:
“This discovery, together with looming GDPR-related liabilities for PII data exposure, are a crystal clear warning to organizations to revisit and tighten up their security systems, as one of their top priorities. In particular, companies holding massive amounts of customer data — such as financial institutions, merchants and others in the payments chain – are increasingly realizing that it’s time to migrate beyond collecting and storing static, easily spoofed data points for authenticating their customers’ digital identities. With the liability findings and rulings of the last year and this new discovery underscoring the scope and usability of personally identifiable information (PII) on the dark web, it’s time to adopt technologies that look beyond the user’s PII, such as biometrics. Taking a multi-layered approach that integrates authentication factors such as how the user behaves, their environment, and their patterns will give companies a holistic view of who the legitimate and would-be fraudulent are, and helps substantially decrease their liability exposure.”
Byron Rashed, Director of Marketing at SiO4:
“There should be no surprise that this particular database is available on the Dark Web. The data itself is not unique by any means, but what’s different are the features and “turnkey” functionality of the data. Complex cyber gangs can deliver customized information to potential buyers in the underground economy. As we have seen in past breaches, specific email domains were parsed into categories (specific vertical sectors and government entities), enabling threat actors to target specific groups, leveraging a readily available database. However, this particular database has new levels of built-in tools to create targeted and very efficient threat vector.
“Although the database contains old caches, it’s important to note – particularly since these tools can be continually used on newly-compromised caches of credentials that would enable threat actors to use them quickly and easily before an organization can take the proper steps to reset passwords and safeguard user accounts. this is especially dangerous since many users use their work credentials (both email and passwords) to access breached third-party sites, and in some cases of ISPs they use their [work] credentials a backup email, creating a potential threat vector for businesses.
Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
“This latest find has wider implications than attackers gaining access to induvial personal or financial sites, because poor password hygiene tends to extend to corporate assets, this has the potential to significantly increase the success rate of malware that use credential stuffing attacks. Protecting against these types of attacks means that organizations need to adopt policies that not only protect against “Weak” passwords, but known breached ones as well. A strong password policy simply cannot protect against an attacker having access to the clear text version of that strong password.”
Javvad Malik, Security Advocate at AlienVault:
“This is an aggregation of compromised accounts from many breaches, going back who knows how long.
Users should be aware that these lists exist, checking with sites like Have I been Pwned to see if their credentials have been compromised and change passwords, ensuring they are not reused across different sites.
Enterprises can use such lists to ban passwords to prevent users from re-using compromised credentials, similar to how Microsoft dynamically bans commonly used passwords.”
Andrew Clarke, EMEA Director at One Identity:
“Businesses need to realise that the age of the password is past, and here is an example of why this is the case. We have seen many companies allowing weak passwords eg 123456 to be set by their users – and these are frequently guessed. But also, users reusing their passwords for personal and business services. Both result in easy pickings for the criminals. But now the realisation that passwords have been accumulated in accessible databases such as this on the dark web, must prompt everyone to think about resetting their passwords with a strong password (12+ character) and having an automated password management process to keep one step ahead of the criminals. Even better, take a look at multi-factor authentication, which really does make the password issue disappear since the dynamically changing numerical display (something the user has) cannot be stored away in a database and replayed.”
Mark James, Security Specialist at ESET:
“The idea of all of our stolen or breached data, being collated into an easy to search, super database for anyone with the required access to view should be shocking, but sadly it is not. With one of our biggest failings being password reuse, it makes perfect sense for bad actors to collate all of this data for later use.
With so many online accounts owned by each of us, it may be quite hard to determine what accounts we have ( and forgotten about ) and which ones contain data. With each breach that happens, the data that’s stolen may show patterns and trends in our password practices- if we are forced to change passwords regularly, it may show our thought processes that could enable an attacker to utilise that data for later attacks.
One of the concerns as always, is the amount of simple and common passwords that are commonly used, with passwords like “123456”, “password” and “qwerty” showing up- they should simply never ever be used in any circumstances”.
