360 million recently compromised passwords for sale online
Courtesy Dan Goodin, Ars Technica
Underscoring the insecurity of many online dating, job, and e-mail services, security researchers said that they have tracked almost 360 million compromised login credentials for sale in underground crime forums over the past three weeks.
The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches, according to a statement posted Tuesday by Hold Security. The biggest single list contained 105 million details, making it among the bigger online finds, the firm told Reuters. The cache included e-mail addresses that most likely served as user names and corresponding passwords. It remains unclear what service the account credentials unlock.
Or, how to go from "123456" to "XBapfSDS3EJz4r42vDUt."
Hold Security is the same firm that in October discovered the circulation of 153 million user names and passwords stolen during a massive breach of Adobe’s corporate network. A month later, the security firm uncovered 42 million plaintext passwords taken during a hack on niche dating service Cupid Media.
At 360 million, Hold Security’s latest find is big enough that it likely also came from hacks on poorly secured Web service servers that store large caches of user credentials. The risk of these types of attacks are biggest for users who choose the same password for multiple services. Once an attacker has someone’s e-mail address and password for one site, the credentials can be used to compromise every other site account that uses the same user name and password. Ars has long advised readers to use a long, randomly generated password that’s unique for each online account. You can find a much more detailed how-to here.