Recently, cyber-security firm 4iq.com discovered on a community forum deep within the ‘dark web’, the largest aggregated database of emails / passwords found to date. The searchable database contained 1.4 billion user login credentials hoovered up from a wide range of hacks, security breaches, data dumps etc. These are in ‘clear text’ meaning they are not encrypted or scrambled in any way, they can be read by anyone. Yes anyone.
Anyone who is active on the dark web, that finds the database can access it and start trying to log into other people’s accounts. Quite possibly yours and mine.
4i have begun extensive analysis of the data and what was immediately alarming in the database was the extent to which people were either…
- Reusing the same password across multiple services or sites (often multiple times)
- Using incredibly weak and obvious passwords (and in some case they were reusing the same weak passwords, which is probably the cyber equivalent of leaving your car unlocked with the key in the ignition and the engine running)!
An example of the most common (and weakest) passwords is shown in the table below…
Astonishingly, the password ‘123456’ occurred over 9 million times in the leaked and stolen data. That’s 9 million people who are making it unbelievably straightforward for someone to break into their account.
Whilst much of the data in the database will be old, some of it is not (14% of the credentials recovered have never been seen before in any other data breach or leak). The latest data was added in late November 2017. This stuff is current and could easily include your information.
4i have checked with a number of users to verify if the information in the database is correct. Almost all of the users contacted have verified that the data was true. Frequently their reactions were…
“but that’s an old password…”
commonly followed by…
“Oh crap! I still use that password on <this> site…”
You can check whether your information appears within the database by sending an email to firstname.lastname@example.org with subject line: Password Exposure Check 4i will respond with the truncated list of found passwords for that email. Of course they will only report the passwords related to the specific email from which you write to them. If you want to verify different email addresses you will have to send an email from each of them.
Take Action Now
Stop reusing the same password in different places
Use long (more than 12 characters and ideally 15 characters plus) passwords
Consider using a password manager such as KeePass or LastPass to hold these rather than trying to remember them all
Consider using two factor authentication in as many places as possible. Whilst it may be slightly inconvenient to do so, it increases your security enormously.
Make your email account passwords particularly complex and long. After all, this is where any password reset notifications will be sent. If a hacker has your email password they can reset it and then beaver away on all of your other accounts.
Please, please share or pass this onto anyone that you think might benefit from it. And, above all, stay safe out there.