1.4-Billion Clear Text Credentials Discovered in a Single Database
Researchers from security firm 4iQ discovered a new collective on the dark web that contains a 1.4-billion usernames and passwords. The 41-gigabyte archive was found on December 5, 2017 in an underground community forum. It is considered to be the largest ever aggregation of various leaks found on the dark web.
The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list, which exposed 797-million records. It adds 385-million new credential pairs, 318-million unique users, and 147-million passwords pertaining to those previous dumps. The total amount of credentials is 1,400,553,869. The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public and Exploit.in.
The most common worst passwords found are “123456”, “123456789”, “qwerty,” “password” and “111111.” None of the passwords are encrypted. A subset of these passwords was tested and most of them have been verified to be true.
It is still unclear who collected this data, but they left Bitcoin and Dogecoin wallet details for donations. This list will probably not be the last one exposed, and we recommended you use different passwords for different websites and services. This practice will limit your risk and prevent grief and losses.