Old hacks strike again: Data from 2.2B accounts lands on the dark web
More than 600 gigabytes of hacked accounts from years ago have been compiled and are free to download.
Billions of hacked passwords and usernames from the last decade have come together in a convenient download for anyone who can find it on the dark web.
More than 2.2 billion usernames and passwords have been compiled and laid out for hackers to use, according to researchers from the Hasso Plattner Institute in Germany.
The compiled data doesn’t come from any fresh breaches: Much of the information was accumulated in hacks like LinkedIn’s 100 million breached accounts and Dropbox’s 68 million stolen credentials, both of which happened in 2012. While this stolen data has been available for years, the massive collection conveniently puts it all in one download for people to use.
Researchers are referring to all that as Collection #2 through Collection #5, and it’s one of the largest compilations of stolen credentials in history. It follows the 773 million email addresses released in Collection #1 earlier in January.
Data breaches are a painful reality of the digital era, with billions of people’s personal and confidential information at stake. That’s drawn the attention of lawmakers, who are considering ways to punish multimillion-dollar companies that can’t protect people’s private data.
Compiling data from old breaches could be a startling new trend for cybercriminals, said Emily Wilson, vice president of research at security firm Terbium Labs.
“Data from thousands of breaches, big and small, is floating around on the dark web on any given day,” she said. “There’s nothing stopping an enterprising criminal from gathering the data together, packaging it and remarketing it — especially when they can turn a profit.”
In the first collection, stolen credentials come from breaches as far back as 2008, sourced from more than 2,000 different hacked websites. The rest of the set, which weighs in at more than 600GB, includes data from hacks that hit MySpace and Adobe in 2013.
Stolen credentials, especially on this scale, can be extremely valuable, but they’ve popped up for free on the dark web and hacker forums over the last month. Some entrepreneurial hackers have chosen to charge for the stolen data, despite its age.
“These collections contain enough credential sets that some percentage are bound to still be valid, and they’re directly in the line of sight for the criminal community,” Wilson said. “Even accounts that have since undergone a password change are still at risk: email addresses are appetizing targets for phishing attacks, and regular password reuse across multiple platforms means that even if the exposed account has undergone a password change, there may be plenty of other accounts still using that same compromised password.”
While the stolen information is old, hackers are betting that a small percentage of people in the data dump never changed their credentials, or are still using the same passwords years later.
If even just one-tenth of 1 percent of people in the massive leak still use the same passwords, that’s 2.2 million accounts that hackers could potentially access. Considering that 45 percent of people would keep the same password after a breach, according to a LastPass survey, the odds are in the attackers’ favor.
The massive amount of stolen data is most useful for credential stuffing, a technique in which bots flood multiple services with the same set of login information as quickly as possible.
If someone uses the same username and password for their hacked account on LinkedIn that they do for their bank accounts, for example, it could be an opening for credential stuffers to exploit.
You can check if you were affected by the massive data set with the HPI’s search tool. Even if you weren’t affected, you should consider changing your outdated passwords, or using a password manager.
With the HPI Identity Leak Checker, it is possible to check whether your email address, along with other personal data (e.g. telephone number, date of birth or address), has been made public on the Internet where it can be misused for malicious purposes.
