New Dark Web database with 1.4 billion leaked clear text passwords is a treasure trove for hackers

Security researchers have discovered a new database floating around the dark web that contains a whopping 1.4 billion user names and password combinations in clear text. While scouring the dark web for stolen, leaked or lost data, researchers at 4iQ found the 41GB file with an interactive, aggregate database dubbed the largest ever found in the dark web to date.

The 1.4 billion records have been aggregated from various sources, earlier data breaches and credential lists. According to 4iQ, the passwords came from credential lists like Anti Public, Exploit.in, as well as dumps from LinkedIn, MySpace, Netflix, Bitcoin, Pastebin, Last.FM, Zoosk, YouPorn, Badoo, RedBox and games such as Minecraft and Runescape.

A portion of the unencrypted passwords have been tested by the researchers and were verified to be true.

"This is not just a list," 4iQ wrote in a Medium post. "It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.

"The data is organized alphabetically, offering examples of trends in how people set passwords, reuse them and create repetitive patterns over time."

Researchers said the database makes finding passwords faster and easier for nefarious actors "than ever before." A simple search for "admin", "administrator" and "root," for example, churned out 226,631 passwords used by administrators within seconds.

About 14% of the exposed username and password combinations had not been previously decrypted by the hacking community and are now available in clear text for threat actors to scroll through.

The database was discovered on Tuesday (5 December) in an underground community forum and was last updated with fresh stolen credentials on 29 November. It is unclear who is responsible for the database. However, researchers noted that Bitcoin and Dogecoin wallets are included for donations.

"This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps," researchers said. "Since the data is alphabetically organized, the massive problem of password reuse — same or very similar passwords for different accounts — appears constantly and is easily detectable."

As expected, the database also exposed the common but dangerous tendency of people to reuse the simple, easy-to-remember passwords across different platforms. The most common passwords found in the database were "123456", "123456789", "qwerty", "password" and "111111".

"This experience of searching and finding passwords within this database is as scary as it is shocking," researchers said.