4iQ researchers recently came across a single 41 GB file containing a searchable database of more than 1.4 billion clear text login credentials on the dark Web. The largest-ever password dump brings together credentials stolen in 252 separate breaches, including the LinkedIn breach.
When the researchers came across the file last week, new data had last been inserted just days earlier.
“This is not just a list,” the researchers noted. “It is an aggregated, interactive database that allows for fast (one-second response) searches and new breach reports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”
Imperva CTO Terry Ray told eSecurity Planet by email that it won’t be long before aggregated data sets containing much more than passwords are sold on the dark Web.
“When you consider how quickly one can change their password, datasets like this one are only valid as long as users continue to make poor choices in password usage,” Ray said. “Stolen names, addresses, family member names, etc., don’t change nearly as often, if ever for some, so the long term value and longevity of a more extensive analytic dataset would likely be very popular in some hands.”
In the meantime, passwords present a significant security risk. A recent Intermedia survey of more than 1,000 U.S. office workers found that 24 percent of respondents reuse the same login credentials for their work and personal accounts.
The problem is worse among millennials — 35 percent of millennials, 19 percent of Gen Xers, and 12 percent of baby boomers use the same login credentials for work and personal account.
Fifty-seven percent of respondents store work files on their desktop or in desktop folders, making them harder to back up — and 34 percent store work data on personal file sharing services.
“When employees do not properly back up files, choose to use the same password across multiple accounts, or send confidential materials to their personal accounts, their companies are left exposed and vulnerable not only to data loss, but to serious financial and legal implications as well,” Intermedia CTO Jonathan Levine said in a statement.
A separate Preempt survey of more than 200 enterprise employees found that 41 percent use the same password for personal and work accounts — and while 20 percent said their passwords had been compromised in a breach, 63 percent only changed their passwords for the account that was directly breached.
Almost 25 percent of respondents said their office or group leverages accounts where several users share a single username and password.
Twenty-five percent of respondents have tried to access data at work that they weren’t supposed to, and 60 percent of those employees were successful in doing so.
Over 90 percent of respondents have poor password update practices — 47 percent use a variation of a current password (changing a letter or number, etc.), and 45 percent write the new password down on paper. Just 4 percent use a password manager.
“Uncontrolled employee access combined with poor security habits are a recipe for a breach no matter how you look at it,” Preempt co-founder and CEO Ajit Sancheti said in a statement. “With the billions of dollars being spent each year on cyber security, it’s concerning to discover how easy it is for overconfident employees to access data or bend the rules and negate the impact of those significant security investments.”