Researchers noticed a huge database containing email addresses and passwords left online without password protection.
A joint investigation by cybersecurity firm Comparitech and security researcher Bob Diachenko revealed that a database of more than 2.7 billion email addresses exposed online, allowing anyone to access identity information. It also stated that around one billion of those records contained a plain-text password list related to exposed email addresses. The leaky database was taken down on December 9, 2019, after Diachenko alerted the U.S. ISP that hosted the database on December 04, 2019.
According to reports, the majority of exposed emails were from Chinese domains including qq.com, 139.com, 126.com, gfan.com, and game.sohu.com, which belonged to China’s popular internet firms Tencent, Sina, Sohu, and NetEase.
“Comparitech immediately took steps to take down the database upon discovering in order to mitigate harm to end-users, but we don’t know if anyone accessed it in the meantime,” researchers said in a statement.
Risks with Exposed Data
Cybercriminals make use of the stolen data in credential stuffing attacks. In credential stuffing attack, a hacker tries to log into various user accounts with known email and password combinations. Attackers take advantage of the fact that most people reuse email ids and passwords for multiple accounts. Once hackers gain access to an account, they try hacking other accounts by changing password combinations. The compromised accounts are used for a variety of purposes including spam, phishing, fraud, and identity theft attacks.
Earlier, a similar leaky database left around 773 million email addresses and more than 21 million passwords unprotected online. According to security researcher Troy Hunt, the person behind the breach notification service website Have I Been Pwned, a huge database that includes records from more than 2,000 hacked databases was exposed online.
The breached data, which Troy Hunt dubbed as Collection #1, include around 773 million (772,904,991) unique email addresses and 21 million (21,222,975) unique passwords. Sized around 87 GB, the breached records also included 1,160,253,228 unique combinations of breached email addresses and passwords. Hunt stated the data breach is made up of various individual data breaches from thousands of other sources.