Found the largest database of stolen passwords: what you should know
In December, 4iq, a company engaged in preventing the illegal use of personal data and unauthorized access to user accounts, discovered a file with a database of 1.4 billion stolen "accounts". The find was made possible by scanning the darknet and dipweb for similar “plums” that could be exploited by intruders.
This is the “ largest ” database of this kind today. In this article we will talk about the features of the found database, recall similar user data leaks and tell you what to do in a situation if you “find yourself” in such a database.
/ Flickr / Magnus D / CC
')
When analyzing the database, it turned out that basically it contains user credentials stolen in 252 individual cases. They overlap with the contents of other banks, for example, the Anti Public Combo List, which stores more than 500 million passwords. According to experts, only 14% of the accounts in the new database can be called original - these pairs of usernames and passwords have not been decrypted before.
What distinguishes a find from others is the format, which is not an ordinary list, but an interactive database. It allows you to easily find and use the content - simplifies the selection and shows the patterns of user preferences in the choice of a particular password.
With the help of such a database, attackers will not be difficult to automate the process of theft of personal data. On the other hand, the completeness of the base, “convenient” data organization and navigation allows access to illegal activities even for not very experienced cybercriminals.
In 2016, the number of incidents involving the theft of personal data increased by 40% compared to 2015. Within 12 months, several large-scale “discharges” occurred at once.
In May 2016 (8 years after the alleged MySpace hack), 360 million “accesses” to the accounts were put up for sale. The same thing happened with 164 million email addresses and passwords of the social network LinkedIn - information was stolen in 2012, but appeared on the black market only 4 years later.
According to the same scenario , a database of 100 million VK users ’accounts was made public . Well-known security specialist Troy Hunt (Troy Hunt) believes that there is no obvious reason why attackers have kept the stolen data for years and then trying to sell it - it all depends on their personal motives.
Another “late lot” is a database of email addresses and passwords of 57 million Badoo dating service users. It appeared on the market in May 2016, but the hacking allegedly occurred in 2015.
The year ended with one of the largest leaks in history - Anti Public and Expoit.in. In total, they have added to the common base of more than a billion "access" to user accounts. Both lists contained several different passwords of the same users in different online systems, which simplified access to valuable information by analyzing the approaches to composing passwords of the potential victim.
The results of this year have yet to be summarized, but already now we can recall the loud “plums” of 2017.
In March of this year, a group of spammers working on behalf of River City Media accidentally leaked the data to 1.34 billion recipients of “marketing” mailings. This happened due to unsuccessful setup of the backup process. The database contains emails, IP addresses, and even home and work addresses of recipients.
In mid-2017, a list of personal data of more than 105 million people was discovered on the Internet. It was called B2B USA Businesses and contained employers' email addresses with job information, as well as work phone numbers and physical addresses.
In August , a directory containing the results of the Onliner Spambot spam bot was discovered. He sent malware to vulnerable computers under the guise of official documents or booking confirmations from hotels, and then stole passwords, credit card data and other personal information. All were stolen more than 710 million credentials.
Later it became known about the leak, which is called "worst" in terms of the significance of the stolen information. The hackers had access to Equifax, one of the three largest US credit agencies, from mid-May to July, and “leaked” the data to 143 million customers, including social security numbers and driver's licenses.
The fall confirmed the worst fears of loud draining of data from users of Yahoo. Verizon, which acquired the company, estimated that the stolen “accounts” were related to 3 billion accounts in Tumblr, Fantasy and Flickr.
/ Flickr / Angie Harms / CC
To get into the number of people whose data was stolen and sold, is not so difficult if the account of "merged" accounts already goes to billions. To protect yourself, you first need to understand how attackers can use your personal data.
The cost of stolen PD may be measured in billions. Primarily, the values ​​are access to financial instruments (for example, to the online banking service).
Such information is used for shopping in online stores and resale to other users in the darknet. People often set the same passwords for different accounts, so a password from an account on one site can open up access to more valuable information for attackers, which is located on another site.
1. Track leaks
There is an open Data Breach database that lets you know which organizations have allowed the data to be drained. The above mentioned Troy Hunt supports the operation of a similar service called “ Have i been pwned? ". It helps to find out (via email) whether your account on this or that resource has been compromised, and to receive notifications of major leaks. This information allows you to respond in a timely manner and change passwords from the respective accounts.
2. Do not neglect obvious safety tips.
Of the 1.4 billion stolen accounts in the new database, the most common password was 123456. This once again confirms that users ignore the elementary security rules. They select simple combinations and use them at once for several resources. Special applications and services help to set and store complex passwords.
If the service offers two-factor authentication, it should be used. In addition, before placing confidential information in the cloud, it is important to ensure that the service provides a high level of security: encryption, two-factor authentication, access policy management, regular checks and other measures (a little about how we work to ensure the security of customer data of the IaaS 1cloud - material on Habré and one more in our corporate blog).
3. Know how to act in case of PD leakage.
In the event that your financial instruments are at risk, you should immediately contact a bank or other organization and notify the specialists about possible problems.
It is also worthwhile to contact credit organizations to find out if the attackers did not try to take out a loan in your name. In Russia, such an organization is the National Bureau of Credit Histories. It allows you to check all the necessary information. With suspicion and facts about theft of PD should contact the law enforcement agencies. The statement in the future will play the role of evidence in possible litigation.
It is important to remember that a fragment of “neutral” information, such as an email address without a password, can be used to access financial instruments. The attackers use non-technical means of attack, such as social engineering methods, that is, they find out the missing information in the course of contact with the “victim”. Therefore, after finding out that your PDs were “merged”, it is important not to lose vigilance and pay attention to all calls and letters. At this point, basic recommendations such as “not reporting passwords to bank employees by telephone” are more important than ever.
4. To study materials on the topic (small thematic digest)
This is the “ largest ” database of this kind today. In this article we will talk about the features of the found database, recall similar user data leaks and tell you what to do in a situation if you “find yourself” in such a database.
/ Flickr / Magnus D / CC
')
The most "convenient" database of someone else's information
When analyzing the database, it turned out that basically it contains user credentials stolen in 252 individual cases. They overlap with the contents of other banks, for example, the Anti Public Combo List, which stores more than 500 million passwords. According to experts, only 14% of the accounts in the new database can be called original - these pairs of usernames and passwords have not been decrypted before.
What distinguishes a find from others is the format, which is not an ordinary list, but an interactive database. It allows you to easily find and use the content - simplifies the selection and shows the patterns of user preferences in the choice of a particular password.
With the help of such a database, attackers will not be difficult to automate the process of theft of personal data. On the other hand, the completeness of the base, “convenient” data organization and navigation allows access to illegal activities even for not very experienced cybercriminals.
Other major leaks in recent years
In 2016, the number of incidents involving the theft of personal data increased by 40% compared to 2015. Within 12 months, several large-scale “discharges” occurred at once.
In May 2016 (8 years after the alleged MySpace hack), 360 million “accesses” to the accounts were put up for sale. The same thing happened with 164 million email addresses and passwords of the social network LinkedIn - information was stolen in 2012, but appeared on the black market only 4 years later.
According to the same scenario , a database of 100 million VK users ’accounts was made public . Well-known security specialist Troy Hunt (Troy Hunt) believes that there is no obvious reason why attackers have kept the stolen data for years and then trying to sell it - it all depends on their personal motives.
Another “late lot” is a database of email addresses and passwords of 57 million Badoo dating service users. It appeared on the market in May 2016, but the hacking allegedly occurred in 2015.
The year ended with one of the largest leaks in history - Anti Public and Expoit.in. In total, they have added to the common base of more than a billion "access" to user accounts. Both lists contained several different passwords of the same users in different online systems, which simplified access to valuable information by analyzing the approaches to composing passwords of the potential victim.
The results of this year have yet to be summarized, but already now we can recall the loud “plums” of 2017.
In March of this year, a group of spammers working on behalf of River City Media accidentally leaked the data to 1.34 billion recipients of “marketing” mailings. This happened due to unsuccessful setup of the backup process. The database contains emails, IP addresses, and even home and work addresses of recipients.
In mid-2017, a list of personal data of more than 105 million people was discovered on the Internet. It was called B2B USA Businesses and contained employers' email addresses with job information, as well as work phone numbers and physical addresses.
In August , a directory containing the results of the Onliner Spambot spam bot was discovered. He sent malware to vulnerable computers under the guise of official documents or booking confirmations from hotels, and then stole passwords, credit card data and other personal information. All were stolen more than 710 million credentials.
Later it became known about the leak, which is called "worst" in terms of the significance of the stolen information. The hackers had access to Equifax, one of the three largest US credit agencies, from mid-May to July, and “leaked” the data to 143 million customers, including social security numbers and driver's licenses.
The fall confirmed the worst fears of loud draining of data from users of Yahoo. Verizon, which acquired the company, estimated that the stolen “accounts” were related to 3 billion accounts in Tumblr, Fantasy and Flickr.
/ Flickr / Angie Harms / CC
What to do if you "found yourself"
To get into the number of people whose data was stolen and sold, is not so difficult if the account of "merged" accounts already goes to billions. To protect yourself, you first need to understand how attackers can use your personal data.
The cost of stolen PD may be measured in billions. Primarily, the values ​​are access to financial instruments (for example, to the online banking service).
Such information is used for shopping in online stores and resale to other users in the darknet. People often set the same passwords for different accounts, so a password from an account on one site can open up access to more valuable information for attackers, which is located on another site.
To secure your personal data, you need:
1. Track leaks
There is an open Data Breach database that lets you know which organizations have allowed the data to be drained. The above mentioned Troy Hunt supports the operation of a similar service called “ Have i been pwned? ". It helps to find out (via email) whether your account on this or that resource has been compromised, and to receive notifications of major leaks. This information allows you to respond in a timely manner and change passwords from the respective accounts.
2. Do not neglect obvious safety tips.
Of the 1.4 billion stolen accounts in the new database, the most common password was 123456. This once again confirms that users ignore the elementary security rules. They select simple combinations and use them at once for several resources. Special applications and services help to set and store complex passwords.
If the service offers two-factor authentication, it should be used. In addition, before placing confidential information in the cloud, it is important to ensure that the service provides a high level of security: encryption, two-factor authentication, access policy management, regular checks and other measures (a little about how we work to ensure the security of customer data of the IaaS 1cloud - material on Habré and one more in our corporate blog).
3. Know how to act in case of PD leakage.
In the event that your financial instruments are at risk, you should immediately contact a bank or other organization and notify the specialists about possible problems.
It is also worthwhile to contact credit organizations to find out if the attackers did not try to take out a loan in your name. In Russia, such an organization is the National Bureau of Credit Histories. It allows you to check all the necessary information. With suspicion and facts about theft of PD should contact the law enforcement agencies. The statement in the future will play the role of evidence in possible litigation.
It is important to remember that a fragment of “neutral” information, such as an email address without a password, can be used to access financial instruments. The attackers use non-technical means of attack, such as social engineering methods, that is, they find out the missing information in the course of contact with the “victim”. Therefore, after finding out that your PDs were “merged”, it is important not to lose vigilance and pay attention to all calls and letters. At this point, basic recommendations such as “not reporting passwords to bank employees by telephone” are more important than ever.
4. To study materials on the topic (small thematic digest)
- DigitalGuardian data loss prevention solutions developer has gathered over 100 simple but important tips to protect personal information. Of particular value are citations and useful tools from portals such as PrivacyRights, and companies such as Kaspersky Lab.
- In this article , security experts at Tripwire, which develops data protection products, provide recommendations for choosing passwords. The main tips relate to changing passwords regularly and choosing symbols and phrases for them. These rules may seem trivial, but, returning to the 4iq find, we see that not everyone uses obvious methods of protection in practice.
- Another security company - HeimdalSecurity - asked 19 experts to talk about the three main protection measures in their view. Comments shared by employees of Eset, SecurityWatch, CSIS and other companies.
- It describes the process of testing the security of the provider's infrastructure. This example demonstrates how client PD can be stolen due to the security vulnerability of the service company. Another example , but about the vulnerability of the bank. The article describes several hacking scenarios.
- And here is the story of how social engineering works in practice. A fake Facebook account and a false password entry form are all that is required to access profiles on social networks and email.
- Another tool from Troy Hunt is Pwned Passwords . It provides access to millions of "merged" passwords. They can be considered unsuitable for use, since hackers have already been able to kidnap them, which means that they can be used by attackers.
- Data encryption is featured in many tips from security experts. Here you can find a selection of relevant tools.
- For better immersion in the question, you can refer to the resources that describe how hackers think and act. Quora users recommend the best, in their opinion, materials on this topic. There are books on the so-called ethical hacking . They also help protect themselves through a hands-on analysis of vulnerabilities and an understanding of appropriate security system circumvention techniques.
PS Even more useful materials on the subject in our corporate blog:
Source: https://habr.com/ru/post/344972/
All Articles