Hold Security, an expert in recovering such credentials says a kid, (is that a hacket?) dubbed ‘The Collector’ from a small town in Russia collected an incredible 1.17 billion stolen credentials from numerous breaches that it is still working on identifying. 272 million of those credentials turned out to be unique, which in turn, translated to 42.5 million credentials – 15% of the total, that it has never seen before.
It turns out that the majority are from Mail.Ru (57M) but many are from Yahoo (40M), Hotmail (33M) and Gmail (24M) and plus thousands of accounts at German and Chinese email providers too – time to change passwords again!
Alex Holden, founder and chief information security officer of Wisconsin-based Hold Security, said, “This information is potent. Thousands of other stolen username/password combinations appear to belong to employees of some of the largest U.S. banking, manufacturing and retail companies.”
Why is this so bad?
Hackers know users use favourite passwords or a variation of the same one. Users are hesitant to change let alone have unique passwords for all online accounts. It's why attackers reuse old passwords found on one account to try to break into other accounts of the same user. Don’t forget that this information ends up in the giant dark data lake on the dark web that allows hackers to socially engineer appeals to users.
It is a timely reminder of 5 May being World Password Day - do something about reuse of passwords today.
Centrify Security Strategist Chris Webber said this latest report provided additional proof that people could no longer rely on passwords for security. “An average person reuses a favourite or easy-to-remember password across multiple sites and apps."
“So if an average user has a personal email password, a personal fileshare password, and the same for work, that means these 272.3 million passwords could unlock over a billion different apps, sites, and services. What’s worse, password theft is getting simpler every day. Forget about movie-style, brilliant-minded, sophisticated hackers. Forget about savvy criminals planning Ocean’s Eleven-style capers. Password harvesting can now be done by anyone clever enough to make a cat meme, or post a nasty comment on YouTube, thanks to simple downloadable toolkits".
“We have to protect ourselves much better – and today, that’s easy. Adding even simple Multi-factor authentication (MFA), like SMS-based verification, would mean that all 272.3 million passwords stolen no longer provide access to anything. Today, those passwords are all you need to gain access. With MFA, those passwords are only part of the key – and accounts will remain safe against today’s most common attacks.”