1 Billion Passwords and Email Addresses Have Been Leaked. What Does That Mean?

1 billion email address and passwords exposed

You hear cybersecurity specialists talk about credential stuffing all the time, but have you ever thought about the pure logistics of pulling off such an attack? Credential stuffing (or password stuffing, as it's sometimes referred to) means taking username and password combos leaked at one online service and trying them against multiple others. Because people use the same login credentials across different platforms, a single username and password pair can open many accounts. The theory is simple enough, but some of you may have already spotted a couple of problems.

First, the whole appeal of credential stuffing is that it impacts many people at once. If hackers need to manually enter every single username and password pair and wait for the "Login Successful" message to appear, the attack won't be particularly effective. That's why they use special scripts and botnets to do most of the work for them. All this automation is completely pointless, however, if the criminals don't have a large volume of leaked credentials to start with. Getting them is, at first glance, the bigger problem.

Of course, the crooks can always go to a dark web marketplace or a hacking forum and shell out some bitcoins in exchange for stolen usernames and passwords. As it turns out, however, sometimes, all they need to do is use a search engine.

1.5 TB of email addresses and passwords left in an unprotected ElasticSearch database

Bob Diachenko, a cybersecurity expert who has been responsible for the discovery and disclosure of many massive data leaks, did just that – he used a search engine. On December 4, he found an Elasticsearch database that was not protected by any form of authentication with the help of BinaryEdge – an internet scanning service. In it, there were a whopping 2.7 billion records weighing in at 1.5 TB. All the records had email addresses, and around 1 billion of them also contained plaintext passwords, which made the database perfect for anyone trying to launch a large-scale credential stuffing attack.

In fact, this might be the reason why the data ended up exposed in the first place. After discovering it, Diachenko shared his findings with researchers from Comparitech who took a closer look and said that someone was adding more and more records to the Elasticsearch installation, possibly in preparation for a credential stuffing campaign. The researchers couldn't find out who owned the database, but they did inform the ISP that hosted it, and on December 9, it was taken down. BinaryEdge first indexed it on December 1, however, which means that the login credentials remained exposed for over a week. During that period, anyone could have downloaded and used them for all sorts of malicious activities.

Most of the credentials come from "The Big Asian Leak"

In January 2017, a cybercriminal going by the nickname DoubleFlag described the data dump of close to 1 billion accounts he was trying to sell as "The Big Asian Leak". According to Comparitech's experts, this dump was put in the unprotected Elasticsearch database Diachenko found in the beginning of the month.

The vast majority of the usernames and passwords were stolen from popular Chinese online services, and they belong to people in East Asia, hence the name. As HackRead reported at the time, DoubleFlag wanted a little over $600 for the login credentials. Less than three years later, they were accessible to anyone who had an internet connection and knew where to look. This shows just how quickly data depreciates once it is stolen.

On the bright side, the usernames and passwords are now fairly old, which means that at least some of them are no longer valid. There is one thing that makes this particular data leak scarier than other similar incidents, though. People in the Far East often have trouble understanding and typing Latin characters, which is why they often use their telephone numbers as usernames when they're creating their email accounts. Thanks to this, the unprotected database led to the exposure of quite a few phone numbers, which, in and of itself, can cause quite a lot of damage.

Even if your phone number isn't included in your email address, and even if you're not affected by this particular data leak, the exposure should once again show you what sort of risk you're running by reusing the same passwords across multiple accounts.

December 13, 2019

Leave a Reply