Billions Of Emails, Passwords Leaked Online

Huge exposure of personal emails and passwords found on dark web hacker forum, is a compilation of many previous breaches

New risk to people’s data online after a huge data dump has been found on a hacker forum, that contained billions of records.

According to a report on Cybernews, more than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular hacking forum.

And it seems the data dump is a combinaton of exposed data from previous breaches at Netflix, LinkedIn, Exploit.in, Bitcoin and more.

Compilation of Many Breaches

The breach is being called a “Compilation of Many Breaches” (COMB), and in total there are more than 3.27 billion email and password pairs.

Concerned readers can check whether their email addresses are within the compromised database, by clicking here.

CyberNews was unable at the time of writing to determine what previously leaked databases were collected in this breach, but from the samples examined, it seems the emails and passwords are from domains from around the world.

It stated that this current leaked database appears to build on 2017’s Breach Compilation. In that leak, intelligence analysts at 4iQ discovered a single file database with 1.4 billion email and password pairs, all in plaintext.

At the time, that was considered the largest credential breach exposure, almost two times larger than the previous largest credential exposure from Exploit.in which had nearly 800 million records.

Users are advised to change their passwords on a regular basis, and to use unique passwords for every account.

Additional recommendations are to use password managers and to add multi-factor authentication on more sensitive accounts.

Password hygiene

Security experts warned that cases like this illustrate the need to maintain sound password hygiene.

“It is concerning to see how easily customer data has been made available and how quickly fraudsters have been able to sift through the results and produce a database of compromised personal information,” noted Will LaSala, senior director of global security solutions at OneSpan.

“For consumers, this incident should come as reminder to maintain good password hygiene – if you are using a static password, you have to assume that it can or has been compromised and take the correct actions to minimise the risk of your personal data being misused,” said LaSala.

“Taking advantage of additional forms of strong authentication offered by many companies, such as secure ‘PUSH notifications’, or ‘One Time Passwords’ with fingerprint, face recognition or other biometric checks will greatly help reduce the ability for any compromised credentials to be used by fraudsters.”

“Equally, as businesses digitize, they must maintain a high level of protection against data breaches,” concluded LaSala. “They must provide customers with and encourage them to make use of more secure alternatives to traditional passwords by adopting an agile, multi-layered approach to security that can thwart attacks using stolen credentials.”

Dark web monitoring

Another security expert said that this case underlined how important it is for organisations to proactively monitor the dark web.

“When it comes to recycling, cybercrime is one of the leading industries, with data breaches frequently republished or compiled into larger breaches,” said Jeremy Hendy, CEO at Skurio.

“Unfortunately, many of us are prone to recycling passwords too and this is a timely reminder for individuals not to return to using favourite passwords from the past,” said Hendy. “Compilation breaches are popular with criminals because their sheer size guarantees success even if a tiny percentage of victims have failed to update the password revealed on every service it was used for; these breaches can of course be additionally used for large-scale phishing or brute force attacks.”

“It is therefore important for organisations of all sizes to proactively monitor the Dark Web and other underground forums, to be alerted if their customer data is ever leaked, marketed or sold online,” Hendy concluded. “Being the first to know that your data is out there gives you time to investigate the incident and prepare a report, before the phone starts ringing”.

Adaptive technologies

Another expert noted that these breaches become more dangerous due to people reusing their passwords, and has suggested that organisations use adaptive technologies to flag potentially suspicious logins.

“Compilation of Many Breaches (COMB) is not a new breach, but is making headlines because of its size,” said Matias Woloski, co-founder and CTO of Auth0. “Three billion email addresses and passwords all available for anyone to use in credential stuffing attacks.”

“There are two truths here that we need to accept: we’re never going to prevent all data breaches, and the password hygiene message isn’t getting through,” Woloski added.

“Businesses now need to force the issue to protect themselves and their customers,” said Woloski. “Authentication is much more than an email and password combination. One Time Passcodes and biometric security are mainstays of multifactor authentication, but consumer-facing businesses have often avoided them. The fear is that they add friction to the customer journey.”

“Adaptive technologies are the solution,” he said. “They’re designed to introduce friction only when necessary, without impacting the customer experience. These technologies can determine whether a customer is legit based on a series of clues that determine an overall risk score.”

“Logging in from London and five minutes later from Singapore? Red flag,” said Woloski. “Use a password that was stolen in a recent data breach? Red flag. These red flags make Adaptive Multi-Factor Authentication trigger an additional layer of security to verify your digital identity.”

“We need to see technology adapt to humans, not the other way around,” said Woloski. Expecting people to remember a random string of numbers and letters is unrealistic. But we’re all expected to use passwords.”

“Passwords will eventually go away in favour of passwordless alternatives, driven by the adoption of the WebAuthn standard,” Woloski concluded. “Businesses need to prepare for that transition. In the meantime, companies need to combine passwords with additional factors presented only when needed (i.e. adaptive), to avoid introducing more friction to users.”