In what might be the largest discovery of its kind. Security researchers have potentially identified the single largest aggregate database found on the Dark Web. Within this floating database are 1.4 billion clear text credentials – including usernames and passwords – which are not from a one new breach, but a compilation of 252 previous breaches.
Researchers from 4iQ found this 41GB database, while scouring the dark web for stolen, leaked or lost data.
According to 4iQ, the passwords came from credential lists like Anti Public, Exploit.in, as well as dumps from LinkedIn, MySpace, Netflix, Bitcoin, Pastebin, Last.FM, Zoosk, YouPorn, Badoo, RedBox and games such as Minecraft and Runescape.
“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” said Julio Casal, founder of 4iQ. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”
Yet another security warning for organisations
Lisa Baergen, director at NuData Security, said that “this discovery, together with looming GDPR-related liabilities for the exposure of personally identifiable information (PII), is a crystal-clear warning to organisations to revisit and tighten up their security systems, as one of their top priorities. In particular, companies that rely on static data to authenticate their customers have to migrate to solutions that allow them to circumvent the dependence on this overly exposed static data.”
>See also: Darknet Market still open for business
“Companies need to adopt technologies that look beyond PII and evaluate the user’s biometrics. When companies authenticate their customers with more than just static data, they are not exposed to the risks that databases such as this one pose to them.”
“Passive biometrics monitors behaviour such as how the users hold the device, what fingers they use, and how fast they type, that can’t be replicated by a bad actor. This provides a holistic and accurate view of who the person – or machine – behind the device is.”
“With a stronger multi-layered authentication solution that looks at the human – instead of just at the static data – companies can easily prevent account takeover attempts that use PII from the dark web.”