back to article Archive of 1.4 billion credentials in clear text found in dark web archive

A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ. The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The …

Page:

  1. Haku

    12345? That's amazing, I've got the same combination on my luggage!

    https://www.youtube.com/watch?v=a6iW-8xPw3k

    1. Anonymous Coward
      Anonymous Coward

      Re: 12345? That's amazing, I've got the same combination on my luggage!

      Oooo get you fancy pants, with your 5 digit combinations.

      123 here for me.

      1. Doctor Syntax Silver badge

        Re: 12345? That's amazing, I've got the same combination on my luggage!

        "123 here for me."

        No problem. If you have a two lock case you can go one better - the other can be 456.

        1. Wensleydale Cheese Silver badge

          Re: 12345? That's amazing, I've got the same combination on my luggage!

          "123 here for me."

          No problem. If you have a two lock case you can go one better - the other can be 456.

          I went one better in the 90s, and used my 6 digit home phone number for a briefcase.

          I then changed jobs and found I didn't need a briefcase any more. I also moved house.

          Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.

          I finally dug it out of an old CV that was lying around on my hard drive

          1. Roland6 Silver badge

            Re: 12345? That's amazing, I've got the same combination on my luggage!

            Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.

            I finally dug it out of an old CV that was lying around on my hard drive

            Know the feeling, I've got a whole bunch of encrypted files scattered through my projects archive, I simply wrote the passphrase in the margin of my then current notebook/diary. If I ever want to access these files and the disk is still readable, it will be a long skim read through my old notebooks/diaries...

          2. Anonymous Coward
            Anonymous Coward

            Re: 12345? That's amazing, I've got the same combination on my luggage!

            "...I finally dug it out of an old CV that was lying around on my hard drive"

            You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average.

            1. Wensleydale Cheese Silver badge

              Re: 12345? That's amazing, I've got the same combination on my luggage!

              "You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average."

              Full marks to Apple's Spotlight in this case.

              I did a search for content using my old street name and Spotlight came up with that CV in a matter of seconds.

              Brute forcing the lock turned out to be unnecessary.

        2. Anonymous Coward
          Anonymous Coward

          Re: 12345? That's amazing, I've got the same combination on my luggage!

          501 for me - after Darth Vaders stormtrooper team (such a nerd)

    2. Muscleguy Silver badge

      Re: 12345? That's amazing, I've got the same combination on my luggage!

      My wife uses her birthday. A friend she sometimes stays with to help with the kid has her alarm similar so Mrs Muscleguy can remember it.

      Unsurprisingly having married someone with a very good memory she leans on me a lot to remember stuff. My sisters were amazed that I could still remember our phone number for the house we lived in in Southern NZ in the mid 1970s and the next house too. Some things just stick in my mind. I never actually tap it in any more but my wife's mobile # she has had since the '90s is burned into my mind too.

      1. Semtex451 Silver badge

        Find shows people still suck at passwords

        Why is the article tagline 'Find shows people still suck at passwords and not 'OMG change your passwords!!!'?.

        Is the author not disturbed that there's an archive of 1.4B passwords both simple and complex?

        1. swschrad

          I suggest the World Universal Password

          which would be asswordP. they'll never guess. for servers, the combination admin/fired should work. let 'em guess THOSE....

  2. eldakka Silver badge

    Has an analysis of the types of accounts been done?

    Over the decades of the internet, I've created thousands of 'throw-away' accounts that have used simple passwords along those lines.

    Temporary email accounts, one-off accounts on a site that I must register for (and that required me to create a 2nd account - one-off email account - to receive the registration email for) that I felt some one-off need to comment on that particular article, an account I've never used since on a site I may have never visited again.

    For those types of accounts, I'm not going to try a complex password I'm just going to put in abcd1234 or whatever reaches the minimum password requirements.

    Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.

    1. Charles 9 Silver badge

      Re: Has an analysis of the types of accounts been done?

      Trouble is, even cappy accounts can be leveraged in things like social engineering to wedge their way into more valuable accounts. Kinda like ignoring the "impenetrable" forest.

      1. Steve Davies 3 Silver badge

        Re: Has an analysis of the types of accounts been done?

        A lot depends upon the level of obfuscation you give to the username you are creating

        for example

        RocketMan@eltonj.com

        or

        SlowMotion@man.co..uk

        are low levels on obfucation

        and

        TR6DBP966G@gmail.com

        Is a higher level.

        But easy for you to remember if you had a Triumph TR6 with the registration number DBP966G

        and finally

        Df_Rg!Th$Y&jU@hotmail.com

        is higher still but pretty well impossible for a human to remember so it gets written down somewhere... Doh!

        1. Doctor Syntax Silver badge

          Re: Has an analysis of the types of accounts been done?

          "pretty well impossible for a human to remember so it gets written down somewhere"

          No, it gets generated and stored in Keepass. The only password phrase to remember is that for Keepass.

          1. Pascal Monett Silver badge
            Trollface

            Re: "The only password phrase to remember is that for Keepass."

            Which is . . password.

            1. Andy The Hat Silver badge

              Re: "The only password phrase to remember is that for Keepass."

              Only hypothetical issue is the password/keystroke grabber trojan inserted into the apparently valid download file by some script kiddie. Instead of hitting only one password you can get tens.

              The question being, is that a valid scenario for such password vaults?

              My password vault was used to contain only memory hints to the passwords as I never knew whether the vault itself was secure or purely an obfuscated pipe to a central server ...

            2. docwebhead

              Re: "The only password phrase to remember is that for Keepass."

              No, no, NO!

              "Password1"

          2. soulrideruk Bronze badge

            Re: Has an analysis of the types of accounts been done?

            Why the hell would you trust ALL your passwords to a piece of software?

            Are you F*/85*g insane?

            For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe.

            Software is not secure. Wise up. Don't become a statistic.

            1. Charles 9 Silver badge

              Re: Has an analysis of the types of accounts been done?

              "For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe."

              Or your spouse who ALSO knows the combination...or a close associate of yours who cleans enough to figure it out and knows what's at stake.

              "Software is not secure. Wise up. Don't become a statistic."

              Neither's the safe if you have family or a significant other. Put it this way. If someone REALLY wants to to get you and you have a bad memory, you're basically screwed because your adversary can out-memorize you.

              If software's not secure, why does the government (including the security sectors) use it? Put it this way, if someone can break KeePass, they'd find bigger fish cracking government communiques that use the same algorithms.

        2. This post has been deleted by its author

          1. johnmayo

            Re: Has an analysis of the types of accounts been done?

            Uptick for spamgourmet! The old ones are the best

        3. Cuddles Silver badge

          Re: Has an analysis of the types of accounts been done?

          "but pretty well impossible for a human to remember so it gets written down somewhere... Doh!"

          Why do people keep insisting that writing down passwords is in some way a bad thing? The vast, vast majority of hacks are done remotely. A post-it note on my desk is just about the safest possible place to store a password, because I can guarantee no hacker will ever see it (no, I don't have a webcam or any other connected bullshit that could expose it). Even if I get particularly unlucky and someone breaks into my house, the chance of them caring about some passwords or having the connections to sell it (or finding a buyer who actually cares about a single person's password when billions are available online) are essentially zero; they're just going to nick the TV and whatever else they can easily flog to a mate

          A workplace where you don't want all the random people wandering around to have access to your passwords is a bit of a different matter, but since we were talking about accounts created for personal use that's not so relevant.

          As it happens I actually use a password vault because I'm willing to trade a bit of security for the convenience of not having to carry a stack of post-it notes around with me. Also, with my handwriting post-its would make my credentials so secure that even I would never be able to use them.

        4. Naselus

          Re: Has an analysis of the types of accounts been done?

          "Df_Rg!Th$Y&jU@hotmail.com

          is higher still but pretty well impossible for a human to remember"

          Speak for yourself. I named my daughter Df_Rg!Th$Y&jU@hotmail.com and so, in my case, I feel it would be a rather obvious username to go with.

          1. This post has been deleted by its author

      2. sorry, what?
        Devil

        Re: Has an analysis of the types of accounts been done?

        Personally, I use mailinator.com accounts, where there are no passwords, and fake names when doing this sort of forced registration. The only stuff sent to these accounts is marketing trash or offer codes etc., neither of which will be particularly troublesome for someone else to access.

        Because there's no password at all, and the account names relate to the site being accessed along with fake names etc. I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D

        1. Anonymous Coward
          Anonymous Coward

          Re: Has an analysis of the types of accounts been done?

          "I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D"

          I do have a degree in psychology and can think of no particular area I studied which would help here.

          A PhD in the study of subconcious habits and thought patterns might do the trick.

        2. Prst. V.Jeltz Silver badge

          Re: Has an analysis of the types of accounts been done?

          re "Df_Rg!Th$Y&jU@hotmail.com"

          That email address would probably crash a lot of poorly designed email servers!

          Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Has an analysis of the types of accounts been done?

            Mr O'OR 1=1
            is our biggest customer.

          2. William Towle
            Coat

            Re: Has an analysis of the types of accounts been done?

            > Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.

            My colleagues and I were discussing the problem with handling that recently, and noted there didn't seem to be a catchy name for it.

            I suggested that in keeping with "the Emergency" and "the Troubles" (and so on) that it should be called "the O'Bother".

        3. elDog Silver badge

          And you trust mailinator to not be breached

          Or selling you tidbits on the market?

          What's in it for them (follow the money)?

          Same with every other "helpful" online site - what's in it for them?

      3. This post has been deleted by its author

    2. Kiwi Silver badge
      Thumb Up

      Re: Has an analysis of the types of accounts been done?

      Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.

      Same here. Not thousands maybe, but could be hundreds.

      Plus, with my hatred of farcebroke but occasional like to find others, I've now had at least a couple of dozen single-sign-in (no not single-sign-ON) FB accounts that were used once, search the name, close the private window, never remembered the password again. Or the account name etc.

  3. Jack of Shadows Silver badge

    What's interesting, at least to myself, is that two of my GMail accounts were compromised while this is not the case with my Live/Outlook and Yahoo accounts. That's a serious WTF. None use simple passwords or definitely not short either.

    1. phuzz Silver badge

      It's unlikely that they got the passwords from gmail. Either you reused the passwords somewhere (don't reuse passwords!), or you've got a keylogger on one of your devices.

    2. Julian Bradfield

      How did you find out?

    3. TechnicalBen Silver badge

      Your Yahoo was not hacked?

      You must be the only one!

      Ps, will this become user searchable? Though I'm guessing just changing everything is best policy?

  4. Anonymous Coward
    Anonymous Coward

    Look guys!

    qwerty is MY password!

    OK?

    1. Anonymous Coward
      Anonymous Coward

      Re: Look guys!

      mines, big dick willie

      1. Anonymous Coward
        Anonymous Coward

        Re: Look guys!

        Mine's gotta umlaut, yours has diaeresis

        1. Wensleydale Cheese Silver badge

          Re: Look guys!

          "Mine's gotta umlaut, yours has diaeresis"

          Mine's got glottal stops.

  5. Anonymous Coward
    Anonymous Coward

    Why can't someone email them all their passwords explaining in simple terms how easy they are to guess?

    At least it makes the data useless.

    1. Prst. V.Jeltz Silver badge

      That is actually a pretty good idea. If my email address (and quite possibly password ) is on a dark web archive that is actively in use I'd like to know!

      And its not like the dilemna of removing botnet clients from machines where you're actually changing the machine , and therefore breaking the law / could be responsible for god knows what breaking.

      Its just an email. I guess there are probably some spam laws that will rule this out.

      1. Anonymous Bullard
        1. Prst. V.Jeltz Silver badge

          Thanks. I didnt really trust that site before so hadnt tried it . I have now and lo and behold:

          "In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords."

          and also

          "Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump."

    2. Jamie Jones Silver badge

      At the last place I worked, an automated password cracker was used that did email users if their password had been cracked.

      These were internal users, on the corporate network.

      This lead to one support ticket that simply read: "How do you know my password is 6inches? Have you or your staff ever slept with me?"

      True story!

  6. Jin

    Not because we are silly or lazy.

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    1. Saul Dobney

      Re: Not because we are silly or lazy.

      Use an offline 'password masher' that blends the domain name with a simple password to produce a strong password that is unique to each site you visit, while your simple password never leaves your desk.

      1. Prst. V.Jeltz Silver badge

        Re: Not because we are silly or lazy.

        Thats what I do , but I keep the formula for blending domain name in my head , so i can easily work out what my password for a given site is - and i need to up the algorythm a bit to make it more secure.

        If a "password masher" is going to produce a result that means nothing to you - why base it on the domain? surely random would be better?

        1. This post has been deleted by its author

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019