A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ.
The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The identity of the collator isn't known but the miscreant left Bitcoin and Dogecoin wallet details for donations.
"None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true," said Julio Casal, founder of @4iQ. "The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records."
The Exploit.in list is included in this dump, as are records reported stolen before, but a lot of this data is new. It has even all been indexed for easy searching and search tools are also included in the archive.
Disturbingly the archive also shows that years of advice on choosing strong passwords is still being ignored. The top password is, depressingly, still 123456, followed by 123456789, qwerty, password and 111111, and the history of some accounts shows the minor variations that would make other passwords for the account easier to guess.
It's hardly rocket science to guess the possible permutations
When the firm contacted some of the recipients, the email addresses of many proved to be still active, although in most cases the passwords were no longer in use. That said, those passwords may well have been used on other accounts, making the job a lot easier for hackers. ®