Dark web monitoring firm 4iQ discovered a massive trove of 41GB data file containing 1.4 billion login credentials including emails and passwords in clear-text format. Researchers believe it is the “largest aggregate database found in the dark web to date” beating the Onliner Spambot dump with 711 Million accounts following Exploit.in data dump in which 593 million accounts were exposed. In their blog post, researchers state that “This dump aggregates 252 previous breaches” meaning it is not a single breach but a combined list of login credentials complied by someone from previous data breaches including LinkedIn. The dump was discovered on a dark web forum on December 5, 2017 in which the total amount of data is 1,400,553,869 with usernames/emails and their clear text password. IT security experts are commented below.
Philip Lieberman, President of Lieberman Software:
It is my belief that IT must undergo a revolution in identity management by turning over the manual management of identities and passwords to automated privileged identity management systems that can change passwords every few hours to remove any value for stolen credentials. By adding an additional layer of multi-factor authentication over the top of ever-changing passwords, IT can achieve real security and destroy the value of these treasure troves of stolen credentials. The reality of no credentials to steal or share exists today for some very large commercial and government agencies using our technology. For smaller organizations simply focused on minimal compliance, the long lifetime of their credentials and the manual management of them will plague them with large repeated losses coming from intrusions and the dark web sharing their stolen credentials.”
Michael Magrath, Director, Global Regulations & Standards at VASCO Data Security:
“Organizations and individuals who were affected by the numerous data breaches over the past couple of years and have not taken action in terms of changing passwords, canceling debit and credit cards, requesting a freeze on their credit are rolling the dice that their data will not be compromised.
Our data is out there and now it is conveniently stored on the Dark Web in a gigantic searchable database for criminals to acquire. 1.4 billion credentials undoubtedly includes several duplicates so if you were unfortunate to be victimized by the Equifax, Target, Anthem breaches as examples, your information will likely be very comprehensive and sought after. If you did take action, you likely obtained a new credit card, but what about health records that can’t be changed?
“This is the exact reason why organizations cannot verify individuals via knowledge based verification (KBV) alone. KBV was under scrunity for some time, since questions typically presented online are obtainable via Internet searches such as “Your monthly mortgage is _______”.
“This aggregated treasure trove of stolen data also reminds us that we cannot rely on static passwords. As humans, we typically like convenience over security, and individuals commonly use the same password for multiple accounts. Verizon’s 2017 Data Breach Investigations Report cites that 81% of hacking-related breaches leveraged either stolen and/or weak passwords – and there they are in clear text, available to anyone on the Dark Web.
“Cybersecurity starts with identity, and protecting identities from theft is paramount. There are secure ways to verify identities and authenticate individuals accessing sensitive data. Technology companies have woken up to the fact that there needs to be a balance between convenience, usability and security. The industry has come a long way over the past few years offering a variety of frictionless authentication solutions that do not require users to remember complex static passwords, but instead to leverage integrated technologies in smartphones and other mobile devices such as facial recognition, fingerprint and adaptive authentication. Multi-factor authenticators are in integral part of a risk-based approach to cybersecurity. Perhaps 1.4 billion credentials will finally put the final nail in the password coffin.
“The time has come for federal and state governments to engage with industry to really drive change. The Identity Ecosystem Framework (IDEF) developed by IDESG as a deliverable in the National Strategy for Trusted Identities in Cyberspace provides a sound framework should be adopted to really have trusted identities in cyberspace.”
Satya Gupta, Founder and CTO at Virsec Systems:
John Gunn, CMO at VASCO Data Security:
.
Lisa Baergen, APR, MCC, Marketing Director at NuData Security Inc.:
Byron Rashed, Director of Marketing at SiO4:
“Although the database contains old caches, it’s important to note – particularly since these tools can be continually used on newly-compromised caches of credentials that would enable threat actors to use them quickly and easily before an organization can take the proper steps to reset passwords and safeguard user accounts. this is especially dangerous since many users use their work credentials (both email and passwords) to access breached third-party sites, and in some cases of ISPs they use their [work] credentials a backup email, creating a potential threat vector for businesses.
Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
Javvad Malik, Security Advocate at AlienVault:
Users should be aware that these lists exist, checking with sites like Have I been Pwned to see if their credentials have been compromised and change passwords, ensuring they are not reused across different sites.
Enterprises can use such lists to ban passwords to prevent users from re-using compromised credentials, similar to how Microsoft dynamically bans commonly used passwords.”
Andrew Clarke, EMEA Director at One Identity:
Mark James, Security Specialist at ESET:
With so many online accounts owned by each of us, it may be quite hard to determine what accounts we have ( and forgotten about ) and which ones contain data. With each breach that happens, the data that’s stolen may show patterns and trends in our password practices- if we are forced to change passwords regularly, it may show our thought processes that could enable an attacker to utilise that data for later attacks.
One of the concerns as always, is the amount of simple and common passwords that are commonly used, with passwords like “123456”, “password” and “qwerty” showing up- they should simply never ever be used in any circumstances”.
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.