More than 1 billion email / password combinations have leaked online

[Tomcat]

Unknown persons published unencrypted e-mail addresses and passwords of users in the public domain. Security researcher Bob Diachenko discovered the unsecured Elasticsearch database on December 4 this year, but it was indexed by the BinaryEdge search engine at the beginning of the month and has been in the public domain ever since. Dyachenko notified the relevant ISP of the incident, and the database was secured on December 9.

The database contained 2.7 billion email addresses and over 1 billion unencrypted passwords for them. As shown by the analysis of the database, most of the data is a leak, put up for sale by a cybercriminal under the pseudonym DoubleFlag in early 2021. The leak, titled The Big Asia Leak, included user data from a number of Chinese internet companies, including NetEase, Tencent, Sohu, and Sina.

The new 1.5TB leak mainly contains email addresses from Chinese users (qq.com, 139.com, 126.com, gfan.com, and game.sohu.com). Most of the usernames are sets of numbers or phone numbers. Comparitech explained that such usernames are typical for Chinese people who have difficulty with the characters of the Latin alphabet.

Who owned the open database is unknown. In theory, it could have been collected in the first phase of a credential stuffing attack or spam campaign.

 

[Tomcat]

The password "123456" was found 7 million times among the billion of leaked credentials​

In one of the largest research, dedicated to the re-use of passwords, Ata specialist Hakchil conducted analysis of more than one billion leaked credentials and found that every 142 minutes is a common password "123456".

According to the Turkish student, among more than 1 billion data, he found only 168,919,919 unique passwords, of which "123456" was encountered about 7 million times. This set of numbers is the simplest password known to date.

As Hakchil noted, the average password length was usually 9 characters, which is not very good, but not too bad either. Most information security experts recommend using longer passwords, for example, in the range from 16 to 24 characters or even more.

But password length wasn't the only problem Hakchil found. According to a Turkish researcher, the password complexity was also low, as only 12% of passwords contained special characters. In most cases, users chose simplified passwords using only uppercase letters (29% of all passwords), lowercase (26%), or numbers (13%). Thus, about 68% of the total number of passwords from 1 billion data were vulnerable to brute force attacks.