A huge database with email addresses, passwords in clear text, and partial credit card data has been uploaded to a free, public hosting service.
The total number of unique email addresses and plain text passwords in the collection is 41,826,763 and they were uploaded to the anonymous file hosting service kayo.moe.
The operator of the sharing service sent the set to Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, to compare it and check whether it was the result of an unknown data breach.
Based on the format of the data, Hunt thinks the lists are most likely intended for credential stuffing attacks, which combine into a single list cracked passwords and email addresses and run them automatically against various online services to hijack the user accounts that match them.
Credential stuffing attacks take advantage of the fact that users, for convenience, are likely to reuse credentials on multiple websites.
"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before. (Later, after loading the entire data set, that figure went up to 93%.)," Hunt writes in a blog post (https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/) today.
The security researcher was able to determine that over 91% of the passwords in the dataset were already available in the Have I Been Pwned collection. You can query the service for yours here (https://haveibeenpwned.com/Passwords).
Hunt says that filenames in the collection do not point to a particular source because there is no single pattern for the breaches they appeared in.
For years, security researchers have advised users to kick the habit of recycling passwords, specifically to avoid credential stuffing attacks.
Cybercriminals trade credential databases on a daily bases, not just on the dark web, but on publicly accessible forums, too. They rely on automated processes for cracking the passwords and test them against online services.
Using a password manager that can generate strong unique passwords for every site you visit and turning on two-factor authentication (where possible) are good measures against this type of attack.