A database containing billions of email addresses and passwords have been leaked online, accessible to anyone with a web browser.
Cybersecurity firm Comparitech and security researcher Bob Diachenko uncovered the database on December 4, 2019. However, the database was first indexed by the BinaryEdge search engine and thus been made publicly available from the beginning of December.
Diachenko immediately notified the US ISP that was hosting the IP address. On December 9, the database was disabled. The database was exposed for over a week – allowing malicious third parties to harvest the data.
The 1.5 TB database contained 2.7 billion email addresses, and plain text passwords. The records also contained MD5, SHA1, and SHA256 hashes of each email address.
It was discovered that the majority of emails were from Chinese domains including qq.com, 139.com, gfan.com, and game.sohu.com. These domains belong to some of China’s biggest internet companies including Sohu, NetEase, Sina and Tencent.
Together, Comparitech and Diachenko concluded that much of the data was from the “Big Asian Leak” first uncovered by HackRead, where by a dark web vendor was selling one billion stolen user accounts.
“Because many Chinese people have difficulty reading English characters, they often use their phone numbers or other numerical identifiers as usernames. Therefore, we can assume many of these email addresses also contain phone numbers,” Paul Bischoff.
It is not clear as to who the owner of the exposed database, but it could have been created as the first stage in a credential stuffing campaign.
“Since many employees share passwords between their work and personal accounts, this leak not only problematic but for the individuals who own the accounts, but a big risk for enterprises globally as well,” said Vinay Sridhara, CTO of Balbix to Infosecurity Magazine.
“Enterprises should use this as an opportunity to scan for password reuse immediately, and on an ongoing basis, to limit their exposure to this incident.”
The post #Privacy: Over 2.5 billion email address and passwords leaked online appeared first on PrivSec Report.