Troy Hunt, operator of the Have-I-Been-Pwned service, has now added 1.3 billion unique passwords to the data collection. They originate from the extended “Synthient” data collection.
Synthient collected openly accessible data from cloud storage accessible via the internet or Telegram groups, from where Troy Hunt also obtained it. Hunt had previously filtered a portion of this data and added approximately 183 million credentials from it to the HIBP collection about two weeks ago. This primarily involved data exfiltrated by infostealers.
Infostealers are Trojans that are installed on computers or smartphones and record when victims log into services. They…
Troy Hunt, operator of the Have-I-Been-Pwned service, has now added 1.3 billion unique passwords to the data collection. They originate from the extended “Synthient” data collection.
Synthient collected openly accessible data from cloud storage accessible via the internet or Telegram groups, from where Troy Hunt also obtained it. Hunt had previously filtered a portion of this data and added approximately 183 million credentials from it to the HIBP collection about two weeks ago. This primarily involved data exfiltrated by infostealers.
Infostealers are Trojans that are installed on computers or smartphones and record when victims log into services. They then forward these credentials to command-and-control servers. This data often ends up publicly visible online. Victims might install such infostealers as a bonus with supposed cracks for popular software, but they can also reach devices through security vulnerabilities in installed software.
Misuse for “Credential Stuffing” Attack Attempts
However, Synthient has collected far more datasets; the collection consists of data from various data breaches – Hunt also refers to them as “Credential Stuffing” entries. In total, the data collection comprises around 2 billion unique email addresses. As Troy Hunt explains in his announcement of the newly added 1.3 billion passwords – 625 million of which were previously unknown –, attackers use this data to crack other victim accounts where the same passwords are (re)used. Testing these credentials is called Credential Stuffing.
Hunt was able to confirm the success of this tactic during data verification. According to his report, he surveyed some HIBP subscribers about whether the data was genuine. The very first response provided clarity: “[Password] #1 is an old password I no longer use. #2 is a more recent password. Thanks for the heads-up; I went and changed the passwords for all critical accounts that used one of them.” Another user reported that it was a disposable password for unimportant accounts that he had used between 20 and 10 years prior. Further responses also point in the direction of old, long-unused passwords. The data collection therefore also includes very old entries.
Interested parties can check on a dedicated HIBP website to see if their passwords have appeared in a data breach. A quick check with “123456,” for example, yields 178,863,340 entries where this number sequence appeared as a password.
(dmk)
Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.
This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.