A database comprising of a collection of a total
number of 42 million records was uploaded on an anonymous file hosting service
kayo.moe. recently. The collection included unique email addresses and plain
text passwords alongside partial credit card data.
Troy Hunt, Australian security researcher and
creator of the Have I Been Pwned data breach index site, was requested to
analyze and check whether it was the aftereffect of an obscure data breach. He
could determine that more than 91% of the passwords in the dataset were at that
point already accessible in the Have I Been Pwned collection and that the
filenames in the said collection don't point to a specific source in light of the
fact that there is no single example for the breaches they showed up in.
In light of the format of the data, the list are in
all probability expected for credential stuffing attacks, which consolidate
into a single list cracked passwords and email addresses and run them
consequently against different online services to hijack the user accounts that
match them.
 |
| Sample of data from lists sent to Hunt |
The reason for the utilization of the credential
stuffing attacks lies behind the fact that these attacks, while exploiting the
users, for convenience are probably going to reuse those credentials on various
other sites.
"When I pulled the email addresses out of the
file, I found almost 42M unique values. I took a sample set and found about 89%
of them were already in HIBP which meant there was a significant amount of data
I've never seen before.” Hunter wrote on a blog post.
The database contained an overall of 755 documents
totalling 1.8GB.
Users are constantly encouraged though to utilize
solid as well as diverse passwords for various accounts. Continuously empower
multifaceted validation.
