More Than 2.7 Billion Email and Passwords Leaked Online
Security researchers have discovered a treasure-trove of username, email and password combinations listed online by an unknown party.
The data was first discovered by security researcher Bob Diachenko, who found the unsecured Elasticsearch database on December 4. The data, however, was first indexed by a BinaryEdge search engine - and publicly accessible to cybercriminals - from the start of the month.
According to Info Security Magazine, “in total, the database contained 2.7 billion email addresses, and plain-text passwords for more than one billion of them - providing a perfect starting point for a credential stuffing campaign,” writes Phil Muncaster.
“After [Diachenko] notified the US-based ISP hosting the IP address, access to the database was eventually disabled on December 9, giving potential hackers more than enough time to harvest the trove of log-in data,” Muncaster added.
“Enterprises should use this as an opportunity to scan for password reuse immediately, and on an ongoing basis, to limit their exposure to this incident.” Vinay Sridhara
Diachenko, who worked with cybersecurity company, Comparitech, has said he believes the data originated from a 2017 hack known as the ‘DoubleFlag’ attack, also known as the ‘Big Asian Leak’. The latest dump of 1.5TB-worth of private details is said to contain mostly Chinese data, although, there are also numerous Gmail and Yahoo domains included in the leak.
“Because many Chinese people have difficulty reading English character,s, they often use their phone numbers or other numerical identifiers as usernames. Therefore, we can assume many of these email addresses also contain phone numbers,” said Paul Bischoff, Comparitech’s privacy advocate.
Vinay Sridhara, CTO of Balbix stressed that the implications of the trove of data extend far further than just the victims whose personal account details was listed. “Since many employees share passwords between their work and personal account, this is not only problematic for the individuals who own the accounts, but a big risk for enterprises globally as well.”
“Enterprises should use this as an opportunity to scan for password reuse immediately, and on an ongoing basis, to limit their exposure to this incident.”