1 Billion Passwords and Email Addresses Have Been Leaked. What Does That Mean?

1 billion email address and passwords exposed

You hear cybersecurity specialists talk about credential stuffing all the time, but have you ever thought about the pure logistics of pulling off such an attack? Credential stuffing (or password stuffing, as it's sometimes referred to) means taking username and password combos leaked at one online service and trying them against multiple others. Because people use the same login credentials across different platforms, a single username and password pair can open many accounts. The theory is simple enough, but some of you may have already spotted a couple of problems.

First, the whole appeal of credential stuffing is that it impacts many people at once. If hackers need to manually enter every single username and password pair and wait for the "Login Successful" message to appear, the attack won't be particularly effective. That's why they use special scripts and botnets to do most of the work for them. All this automation is completely pointless, however, if the criminals don't have a large volume of leaked credentials to start with. Getting them is, at first glance, the bigger problem.

Of course, the crooks can always go to a dark web marketplace or a hacking forum and shell out some bitcoins in exchange for stolen usernames and passwords. As it turns out, however, sometimes, all they need to do is use a search engine.

1.5 TB of email addresses and passwords left in an unprotected ElasticSearch database

Bob Diachenko, a cybersecurity expert who has been responsible for the discovery and disclosure of many massive data leaks, did just that – he used a search engine. On December 4, he found an Elasticsearch database that was not protected by any form of authentication with the help of BinaryEdge – an internet scanning service. In it, there were a whopping 2.7 billion records weighing in at 1.5 TB. All the records had email addresses, and around 1 billion of them also contained plaintext passwords, which made the database perfect for anyone trying to launch a large-scale credential stuffing attack.

In fact, this might be the reason why the data ended up exposed in the first place. After discovering it, Diachenko shared his findings with researchers from Comparitech who took a closer look and said that someone was adding more and more records to the Elasticsearch installation, possibly in preparation for a credential stuffing campaign. The researchers couldn't find out who owned the database, but they did inform the ISP that hosted it, and on December 9, it was taken down. BinaryEdge first indexed it on December 1, however, which means that the login credentials remained exposed for over a week. During that period, anyone could have downloaded and used them for all sorts of malicious activities.

Most of the credentials come from "The Big Asian Leak"

In January 2017, a cybercriminal going by the nickname DoubleFlag described the data dump of close to 1 billion accounts he was trying to sell as "The Big Asian Leak". According to Comparitech's experts, this dump was put in the unprotected Elasticsearch database Diachenko found in the beginning of the month.

The vast majority of the usernames and passwords were stolen from popular Chinese online services, and they belong to people in East Asia, hence the name. As HackRead reported at the time, DoubleFlag wanted a little over $600 for the login credentials. Less than three years later, they were accessible to anyone who had an internet connection and knew where to look. This shows just how quickly data depreciates once it is stolen.

On the bright side, the usernames and passwords are now fairly old, which means that at least some of them are no longer valid. There is one thing that makes this particular data leak scarier than other similar incidents, though. People in the Far East often have trouble understanding and typing Latin characters, which is why they often use their telephone numbers as usernames when they're creating their email accounts. Thanks to this, the unprotected database led to the exposure of quite a few phone numbers, which, in and of itself, can cause quite a lot of damage.

Even if your phone number isn't included in your email address, and even if you're not affected by this particular data leak, the exposure should once again show you what sort of risk you're running by reusing the same passwords across multiple accounts.

By Duran
December 13, 2019
News
English
December 13, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Why Is Facebook Asking for Email Passwords?

How much does Facebook know about you? Different people will give different answers. If you don't have a Facebook account, for example, you are likely to say that the world's largest social network knows nothing about... Read more

April 3, 2019
News

LifeLock Bug: Millions of Email Addresses Were Left out in the Open

We have discussed identity theft protection on these pages, and we have hopefully helped you understand what the service offers, what it doesn't offer, and under which circumstances it can be beneficial to you. Today,... Read more

July 30, 2018
News

Security Researchers Discover a Data Dump That Exposed 21M Passwords and 773M Email Addresses

Troy Hunt is an Australian security specialist who runs Have I Been Pwned – the largest, most comprehensive data breach notification service currently in existence. His job is, among other things, to collect emails... Read more

January 17, 2019
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.