1.4 Billion User Credentials in Database on Dark Web

Here’s a reason for you to be concerned about the security of the accounts you use for various online services. A cybersecurity firm that researches the Dark Web said they recently discovered that one interactive and easily searchable database of about 1.4 billion user credentials is being distributed.

With a number that big, it’s quite possible that one or more of those sets of credentials belong to you.

Let’s Look at the Numbers

The numbers related to 4iQ’s discovery are jaw dropping. The single database contains 1,400,553,869 credentials. Those credentials were acquired from 252 data breach incidents.

When 4iQ searched for the username strings “admin,” “administrator,” and “root,” 226,631 results were returned. The database is a 41GB dump file, and it’s completely in plaintext. 14% of the username and password pairs are new discoveries to the data breach community.

So, about 385 million credential pairs, 318 million unique users, and 147 million passwords in the database are new and aren’t in other credential breach dump files.

The Most Commonly Used Passwords

Here are the 40 most commonly found passwords in the database:

1 - 123456, used 9,218,720 times

2 - 123456789, used 3,103, 503 times

3 - qwerty, used 1,651,385 times

4 - password, used 1,313,464 times

5 - 111111, used 1,273,179 times

6 - 12345678, used 1,126,222 times

7 - abc123, used 1,085,144 times

8 - 1234567, used 969,909 times

9 - password1, used 954,446 times

10 - 1234567890, used 879,924 times

11 - 123123, used 866,640 times

12 - 12345, used 834,468 times

13 - homelesspa, used 621,078 times

14 - iloveyou, used 564,344 times

15 - 1q2w3e4r5t, used 527,158 times

16 - qwertyuiop, used 470,562 times

17 - 1234, used 468,554 times

18 - 123456a, used 417,878 times

19 - 123321, used 398,114 times

20 - 654321, used 371,627 times

21 - 666666, used 370,652 times

22 - 123, used 354,784 times

23 - monkey, used 347,187 times

24 - dragon, used 343,864 times

25 - 1qaz2wsx, used 311,371 times

26 - 123qwe, used 300,279 times

27 - 121212, used 299,984 times

28 - myspace, used 298,938 times

29 - a123456, used 291,932 times

30 - qwe123, used 276,473 times

31 - 1q2w3e4r, used 270,488 times

32 - zxcvbnm, used 268,121 times

33 - 7777777, used 263,605 times

34 - 123abc, used 255,079 times

35 - qwerty123, used 250,732 times

36 - qwerty1, used 241,721 times

37 - 987654321, used 241,495 times

38 - 222222, used 227,701 times

39 - 555555, used 226,785 times

40 - 112233, used 220,363 times

Yes, It’s Real

The researchers have checked the usernames and passwords of a few specific users and confirmed they were all real credentials. The most recent credentials in the database are dated November 29, 2017.

The database includes credentials from data breaches related to LinkedIn, Twitter, Neopets, Badoo, Redbox, Myspace, Gmail, and 000webhost.com. Without having the opportunity to search the database myself, I’ve already changed all of my online passwords and I’d advise you to do the same.

I’d like to thank 4iQ for finding the database, and Julio Casal for sharing the findings on Medium.

Once again, please change your passwords. Be sure to make them long – many suggest at least 32 characters - and consider using a password manager if that helps you make your passwords more complex.