1.4B stolen passwords are free for the taking: What we know now

The 2012 LinkedIn password breach, and others like it, are still paying dividends for criminals

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

More than a billion plaintext passwords from third-party data breaches are freely available on the internet, and the human tendency to reuse passwords across multiple services means these credentials, some of them years old, remain a serious threat, especially for smaller organizations.

For years password dumps have been traded on criminal forums, but in the last six months the sheer volume of passwords has driven the price down, to the point that, in 2017, someone dumped a collection of 1.4 billion previously exposed credentials online — for free.

The credentials remain available at no charge to anyone who knows how to use a search engine and a torrent client, no need to bother with Tor.

"This has never happened before in history," J. Tate, co-founder of Bits & Digits, says. "People used to say, where do you find the breach data? On the dark net. Now here it is publicly; use it for what you want to use it for."

While researching this story, CSO uncovered in the breached data thousands of work email addresses and old passwords belonging to current and former employees of IDG (CSO's parent company), as well as IDG affiliates. CSO worked with IDG's IT departments to determine if the exposed passwords were accurate at the time of breach and to potentially identify incidents of password reuse.

The trove of data also includes email addresses and passwords for people working at all levels of government in countries around the world including police, military, and spies. Even users with @nsa.gov email accounts appear in these data dumps, although the National Security Agency (NSA) assured CSO that the agency is not affected by these exposed credentials. But, then, few organizations, if any, consume the volume or quality of threat intel that the NSA does.

The Department of Homeland Security and Department of Justice, both with email addresses and passwords in the dump, told CSO their agencies were unaffected, as did Bank of America and Wells Fargo. Likewise, Google and Apple said that the hundreds of millions of Gmail and iCloud email accounts in the dump were unaffected, since both companies proactively search for this kind of breach data and make their users change their passwords.

Small to medium-sized businesses, though, do not typically consume the same kind of threat intel as major banks or government agencies or large tech companies, even to do basic things like using a torrent client to download third-party breach data and cross-referencing against a list of current employees.

This leaves large swaths of businesses and local governments at risk of password reuse attacks — known as "credential stuffing" attacks — well within reach of unsophisticated attackers. Defending against these trivial yet devastating attacks begins with accepting the realities of human nature and recognizing that blaming employees or customers for reusing passwords is futile. Far better to appreciate that people are terrible at choosing and remembering strong passwords and go from there.

To continue reading this article register now

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon