Releases of “mega collections” of leaked login credentials are seemingly becoming an annual event, but a new hoard of 16 billion passwords discovered by Bob Diachenko of SecurityDiscovery.com merits some special attention. It not only shows an unusually high degree of organization, something that might point to criminal sharing or collaboration, but also apparently contains a substantial amount of passwords not seen in prior leaks.
“Two leaked accounts” for every person alive
At 16 billion total leaked login credentials, the researchers estimate this is about two compromised accounts for every person alive. However, these numbers do not account for a number of factors such as duplicate entries and accounts that may belong to automated systems or otherwise be of low general interest.
While these mega-leaks often contain a lot of old information and are thus not a severe new risk to the average person, this one does appear to contain quite a few passwords that have not surfaced on the dark web or other usual sources before. But another element mitigating the risk is the fact that the researchers say the leaked login credentials were only available for a brief period due to some kind of misconfiguration. That points to some sort of private group already making use of them for some time, but likely limited potential spread to other threat actors.
Still, all it takes is one malicious actor obtaining them and dumping them to the public. The high level of organization would certainly help threat actors jump right into targeted attacks, and it is unknowable how many new credentials that have not yet been tried that they would have at their disposal. The researchers do not have any leads on who was maintaining the leaked login credentials, but the greatest likelihood is some sort of organized cybercrime group. The level of organization and cloud storage points to the possibility that this was a shared resource or access to it was being sold, potentially to be used in tandem with AI to more rapidly try credentials.
Login credentials almost certainly collected by infostealer malware
Though the specific perpetrators are not known, the formatting of the login credentials makes clear that this collection was largely put together by way of infostealer malware. Most entries have the URL of the applicable service paired with the username and password, but some include further information such as cookies or access tokens.
One of the elements that sets this leak apart from other prior “mega” collections of login credentials is its organization. There are demographic groups, for example exclusively victims from Russia or Portugal, as well as collections specific to the service that the credentials were stolen from. Given the fact that infostealer malware was used, that indicates a lot of after-the-fact sorting for someone’s convenience.
One key takeaway is that while there are never-before-seen passwords in this mix, the researchers caution that it is not tied to any new or previously undisclosed breaches. It is all quite likely older information, just some that was not seen in public before.
The set of login credentials is second to the “Mother of All Breaches” that was released last year in size, but appears to have more new information and continues an annual trend of tens of billions of credentials being dumped as part of some sort of criminal collection. These event serve as a reminder to ensure good password hygiene is being used and login credentials are not being shared, but ultimately serve as perhaps the most effective advertisement for adopting MFA.
