When was the last time you used your credentials online? A few minutes ago? Within the last 24 hours? Our credentials are at the heart of our online lives. So, what happens if they are stolen?

Irdeto’s Cybersecurity Services team obtained a copy of the largest aggregated database of stolen credentials. The database was found on the dark web and 4IQ published a description at the end of 2017. Our data scientists are continuing to analyze its contents but here are some findings so far.

Clear and present danger
There are two aspects that make this database dangerous.

  1. The sheer size – 1.4 billion unique credentials.
  2. 99% of the credentials were not encrypted or hashed. They are clear text credentials.

With a global population of 7 billion people, this amounts to unencrypted credentials for 1/5th of the world.

What we know so far
The database contains all major email providers from across the globe. Let’s start by looking at the most popular domains. The graph below shows the Top 20. Yahoo, Hotmail, Gmail and mail.ru dominate as the top 4 domains represented in the database.

When you break that down into a country view, an interesting observation surfaces. There are twice as many e-mail addresses on Russian domains than there are internet users in Russia! It’s worth noting that the USA was excluded as we can’t attribute ‘.com’ addresses only to that country.

There are even government and military email addresses included. Using the domain ‘.mil’ – it’s the US Army that tops that category.

For the ‘.gov’ domain, there was over one million email addresses listed. NASA takes first place, just ahead of the Department of Homeland Security.

What does it mean?
At first glance, you might assume the database provides the password for the corresponding email address. However, from our research, it seems that the combination of email addresses and passwords points to accessing a service. There’s a high likelihood that top email addresses that occurred most frequently could well be throwaway accounts – people providing an email address to register but not needing to access that email account.

Nevertheless, it’s worth emphasizing that all organizations have a duty to ensure that any credentials are stored securely, so that if their database is breached, hackers won’t be able to use the passwords immediately. And with the General Data Protection Regulation (GDPR) coming into force from 25th May 2018, the availability of this stolen credentials database is a very loud warning bell.

What can be done?
One way to gauge your company risk level is to work with a trusted security partner. That partner should provide you with the combination of proven dark web expertise and cybercrime prevention services, such as performing penetration testing and security audits of your infrastructure. Such intelligence will arm your security and development teams to further harden your systems as well as educate your customer base about better password security.