A new database containing over 560 million emails and passwords has been discovered by security researchers. The information, which remains insecure, has been compiled from a variety of sources, most of which are data breaches from several years ago. But gathering them all into one easily accessible collection could spell trouble.
The database was discovered by the Kromtech Security Research Center. It verified the data with researcher Troy Hunt, creator of the Have I Been Pwned (HIBP) website that lets people check if their accounts have been compromised by typing in an email address.
Hunt identified over 243 million unique emails, the majority of which were already in the HIBP database - the result of earlier data leaks from the likes of LinkedIn, LastFM, DropBox, MySpace, Adobe, Neopets, Tumblr, Badoo, and several others.
While these breaches have since been secured, the biggest risk comes from the fact so many people re-use the same login credentials for multiple accounts. As Mark Zuckerberg would tell you, such a practice is never a good idea.
It’s not clear who compiled the database. The researchers are calling the person “Eddie” after a name they found in the database credentials.
Kromtech’s discovery was made using Shodan, the search engine that lets users look for easily accessible internet-connected devices. According to Bob Diachenko, Kromtech’s Chief Communications Officer, the device storing the logins is running an insecure version of open source database MongoDB, which made headlines earlier this year when thousands of systems using the software were hit with ransomware-style attacks.
“We wanted once again to highlight the importance of changing the passwords, because more and more malicious actors seem to exploit the data grabbed from previous leaks and hacks,” Diachenko told Gizmodo.
You can check if you have a compromised account on HIBP. Don’t be too worried if something shows up as many are years old (I had three, one stretching back to 2013) . Still, this is another reason why people should use password managers and enable two-factor authentication wherever possible.