A massive 600 gigabyte file containing about 2.2 billion compromised usernames and passwords has been spotted floating about the dark web, freely available to anyone who cares to download it via torrent. While the words “good news” and “breached accounts” really never belong in the same sentence, the small silver lining here is that this appears to be a collation of old data rather than any sort of a new breach.
The information in the file is basically a round-up of material from the biggest data breaches of the last few years: Yahoo!, LinkedIn, Dropbox and more. The breached accounts are not limited to those incidents, however, as security researchers have found credentials dating back to 2008 in the file.
It’s unclear if data from any of the recent breaches of Facebook is present in this data dump. Mark Zuckerberg and his two billion Facebook users are probably not at risk from what we know thus far; the Cambridge Analytica and September 2018 access token mishaps (the latter of which was initially reported as impacting 50 million users) did not expose login credentials of users accounts to the general public. However, enough major websites are included in this collection of breached accounts that everyone needs to pay attention to it.
The information in this file was mostly already available to the public, or at least widely disseminated among the hacker community in the past few years. High-level professional hackers have likely already combed through it and taken their shots with these breached accounts at this point.
The news of the release plus the convenience of having all of these credentials in one place may encourage amateurs to take a crack at some of these accounts, however. Any old passwords that might have been included in this should be changed immediately. It would also be prudent to review the included data breaches to ensure that no other compromising or exploitable personal information might be available from the breached accounts found in this file.
Sources of the breached accounts
68 million Dropbox user accounts were compromised in 2016. The attackers exploited an improperly secured employee password to obtain email addresses and hashed and salted passwords from breached accounts that were created in 2012 and earlier. The data was initially put up for sale on the dark web, but was quickly obtained by a number of tech magazines and security publications.
The LinkedIn accounts of about 170 million people were compromised in 2012, but the data stayed in private hands until it unexpectedly appeared on the dark web in 2016. The hackers gained access to email addresses (tied to LinkedIn member ID numbers) as well as hashed passwords.
Yahoo! suffered two major security breaches, one in 2013 and one in 2014. Between them, it is believed that nearly every Yahoo! account created prior to the breaches was impacted – that means at least three billion in total. Yahoo! began reporting the details of these breaches in 2016, but the full extent was not known until 2017. The FBI charged hackers working for the Russian Federal Security Service with the crime.
Myspace was hacked at some point before 2013, when the pioneering social network still had a significant user base. Breached accounts are from that period of time. The details of 360 million accounts in total were compromised during this data breach, including email addresses and dates of birth.
150 million Adobe users suffered from breached accounts in a 2013 hack. The stolen data included login details (emails with hashed passwords) and credit card numbers.
Other possible inclusions
These are just the largest of the known data sets included in the recent compilation. It is possible that other sources, both large and small, may be present in the billions of account details it contains.
Other major data breaches of a similar nature occurred at Marriott (500 million accounts), Adult Friend Finder (412 million accounts), eBay (145 million accounts), Heartland Payment Systems (134 million accounts), Target (110 million accounts) and the Sony PlayStation Network (77 million accounts) during this time period.
This incident serves as a reminder to practice good security hygiene and send reminders out to employees, regardless of whether or not your personal data wound up in the collection.
Passwords should never be used more than once and should be a long mix of letters, numbers and symbols. A good password manager can help greatly in decomplicating this process. With a password manager, you need only remember one strong password (or set up an alternate authentication method like biometric data) to gain access to every other account of yours.
The fact that passwords were (in most cases) hashed and salted in these leaks is something that merely slows down hackers rather than stopping them. With the hashed data in hand, a hacker can simply “brute force” them locally at their leisure. This does filter down the amount of people in the world with the requisite equipment, knowledge and inclination to do so, but rest assured that they are out there.
If you’re concerned about a particular account being compromised, Have I Been Pwnd can let you know if a particular email address or password has been spotted in any known data sets. You enter each individually, and the site does not tie them to each other in any way.
It is very likely that there will be a surge in activity on accounts associated with this breach, as that has been the pattern with every high-profile public data leak of this nature to date. Some hackers will be seeing this information for the first time and will want to test it out. While most of the accounts involved have likely been notified and secured at this point, even a small percentage going unsecured would be worth the effort for hackers. For example, if only half a percent of the accounts in this breach remained vulnerable, that would still be over one million ripe and ready for exploitation.