Here’s a reason for you to be concerned about the security of the accounts you use for various online services. A cybersecurity firm that researches the Dark Web said they recently discovered that one interactive and easily searchable database of about 1.4 billion user credentials is being distributed.
With a number that big, it’s quite possible that one or more of those sets of credentials belong to you.
Let’s Look at the Numbers
The numbers related to 4iQ’s discovery are jaw dropping. The single database contains 1,400,553,869 credentials. Those credentials were acquired from 252 data breach incidents.
When 4iQ searched for the username strings “admin,” “administrator,” and “root,” 226,631 results were returned. The database is a 41GB dump file, and it’s completely in plaintext. 14% of the username and password pairs are new discoveries to the data breach community.
So, about 385 million credential pairs, 318 million unique users, and 147 million passwords in the database are new and aren’t in other credential breach dump files.
The Most Commonly Used Passwords
Here are the 40 most commonly found passwords in the database:
1 - 123456, used 9,218,720 times
2 - 123456789, used 3,103, 503 times
3 - qwerty, used 1,651,385 times
4 - password, used 1,313,464 times
5 - 111111, used 1,273,179 times
6 - 12345678, used 1,126,222 times
7 - abc123, used 1,085,144 times
8 - 1234567, used 969,909 times
9 - password1, used 954,446 times
10 - 1234567890, used 879,924 times
11 - 123123, used 866,640 times
12 - 12345, used 834,468 times
13 - homelesspa, used 621,078 times
14 - iloveyou, used 564,344 times
15 - 1q2w3e4r5t, used 527,158 times
16 - qwertyuiop, used 470,562 times
17 - 1234, used 468,554 times
18 - 123456a, used 417,878 times
19 - 123321, used 398,114 times
20 - 654321, used 371,627 times
21 - 666666, used 370,652 times
22 - 123, used 354,784 times
23 - monkey, used 347,187 times
24 - dragon, used 343,864 times
25 - 1qaz2wsx, used 311,371 times
26 - 123qwe, used 300,279 times
27 - 121212, used 299,984 times
28 - myspace, used 298,938 times
29 - a123456, used 291,932 times
30 - qwe123, used 276,473 times
31 - 1q2w3e4r, used 270,488 times
32 - zxcvbnm, used 268,121 times
33 - 7777777, used 263,605 times
34 - 123abc, used 255,079 times
35 - qwerty123, used 250,732 times
36 - qwerty1, used 241,721 times
37 - 987654321, used 241,495 times
38 - 222222, used 227,701 times
39 - 555555, used 226,785 times
40 - 112233, used 220,363 times
Yes, It’s Real
The researchers have checked the usernames and passwords of a few specific users and confirmed they were all real credentials. The most recent credentials in the database are dated November 29, 2017.
The database includes credentials from data breaches related to LinkedIn, Twitter, Neopets, Badoo, Redbox, Myspace, Gmail, and 000webhost.com. Without having the opportunity to search the database myself, I’ve already changed all of my online passwords and I’d advise you to do the same.
I’d like to thank 4iQ for finding the database, and Julio Casal for sharing the findings on Medium.
Once again, please change your passwords. Be sure to make them long – many suggest at least 32 characters - and consider using a password manager if that helps you make your passwords more complex.