A database of 1.4 billion user passwords has been discovered on the dark web, paving the way for what security experts expect to be a "cyber crime epidemic."
The data—compiled from 252 data breaches from websites including LinkedIn, MySpace, Netflix and YouPorn—allows easy access to potentially the largest ever list of information about users.
Dark web monitor Julio Casal described the database in a blog post as easy-to-access and interactive, meaning "even unsophisticated and newbie hackers" can exploit it.
"None of the passwords are encrypted, and what's scary is [that] we've tested a subset of these passwords and most of [them] have been verified to be true," Casal wrote in the blog.
Security researchers have called the 41GB database a "treasure trove" for cyber criminals, especially considering how easy it is to search the data.
By searching for usernames or email addresses across different breached websites, criminals could search for password patterns that could be used to access other accounts.
"With so many online accounts owned by each of us, it may be quite hard to determine what accounts we have (and have forgotten about) and which ones contain data," Mark James, a security specialist at ESET, said in an emailed statement to Newsweek.
"With each breach that happens, the data that's stolen may show patterns and trends in our password practices—if we are forced to change passwords regularly, it may show our thought processes that could enable an attacker to utilize that data for later attacks."
Read more: Bank robber hackers steal millions of dollars in silent heists across U.S. and Russia
Other security experts say the database should also serve as a wakeup call to companies when it comes to their security and protection of customer data.
In an emailed comment, Director of NuData Security Lisa Baergen called it a "crystal clear warning" to organisations to treat cybersecurity as a top priority and not rely so heavily on password-based security checks.
"When companies authenticate their customers with more than just static data, they are not exposed to the risks that databases such as this one pose," Baergen said.
"Passive biometrics monitors behaviour such as how the users hold the device, what fingers they use, and how fast they type, that can't be replicated by a bad actor… With a stronger multi-layered authentication solution [companies] can easily prevent account takeover attempts that use PII [personally identifiable information] from the dark web."
Andrew Clarke, a director at One Identity, added: "Businesses need to realize that the age of the password is past, and here is an example of why this is the case. We have seen many companies allowing weak passwords like '123456' to be set by their users.
"But also, users reusing their passwords for personal and business services. Both result in easy pickings for the criminals."
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Anthony Cuthbertson is a staff writer at Newsweek, based in London.
Anthony's awards include Digital Writer of the Year (Online ... Read more
To read how Newsweek uses AI as a newsroom tool, Click here.
