2.2 billion credentials dumped onto the dark web
Following January 2019’s record-breaking Collection #1 which leaked 770m credentials onto the dark web, Collections #2-5 have now been dumped into the public domain.
Less than a month into 2019, cyber criminals have signalled that they are prepared for a higher form of digital warfare. Not content with releasing an unprecedented 87 gigabytes of user data earlier in January, the new data dump is an enormous 845 gigabytes – almost ten times bigger.
And with over 2 billion usernames, email addresses, and passwords now in the public domain, it is highly likely that your information is in the hands of potential hackers.
Ransomware as a service – Ransomware packages are readily available for those willing to pay a subscription. Ranging from £90 to £1,450, anyone can acquire the means to conduct a ransomware attack.
Remote access to servers (see right) – Plenty of services on the dark web offer remote access to computer servers for a fee. Once a cyber-criminal has bought access to a server, they are able to execute a ransomware attack or install discreet spyware to harvest financial information to be used for blackmail.
Renting of botnets – Some seasoned criminals rent out their network of compromised computers. Combining their computing power, an individual can perform a mass-spam campaign or a distributed denial of service (DDoS) attack, which overloads a business’s server with traffic, taking it offline for an indefinite amount of time.
The sale of PayPal or credit card accounts – Cyber criminals who run successful phishing attacks do not usually take the risk of using the stolen accounts themselves. Instead, they sell the information on the dark web – often for a percentage of the account balance. The bigger the PayPal or bank account, the larger the sale fee.
So how does your information make it to the dark web?
Very easily – your data footprint is scattered throughout the internet. If you use the same password across multiple websites and services, then it’s very probable that your information is in the hands of criminals.
‘Credential stuffing’, the large-scale automation of login requests across popular online services, allows criminals to brute force their way into other services, using a single compromised credential.
Whether it’s simply a weak password cracked by an individual, or a service you’re signed up to suffering a cyber-attack, it only takes one leak for your information to make it onto the dark web.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because it’s subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”
-Troy Hunt, Have I Been Pwned
Journey to the centre of the dark web
A cyber attacker researches their target before an attack, searching for potential weak links in your business security. These weaknesses often take the form of a network vulnerability or a lack of employee cyber security awareness.
Once the attacker has established a clear entry point – it could be a phishing attack, bypassing of poor network security, or even an inside job by an employee – they exploit the weakness with a cyber-attack.
Following a successful breach, the cyber-criminal has access to your business’ internal network. They can then tunnel into your company’s critical and confidential data. This data can then be downloaded and disseminated all over the internet.
Business data is no longer secure and is now considered to be compromised. Here it makes its final journey to the dark web’s black market, and eventually delivered into the hands of an individual who has a financial investment in doing harm to your business.
Have you been affected?
Firstly – with significant data breaches like this, always assume that you have been compromised and take steps to protect your business.
Make use of free online resources, including Have I Been Pwned (HIBP) and the Hasso Plattner Institute’s Info Leak Checker, which consult databases containing information relating to internet breaches. By entering your email address, it is possible to confirm whether your credentials have been leaked. For security purposes, no additional information is given.
A dark web monitoring service can proactively trawl the dark web for any activity related to your business’ domain. This offers a key advantage over services like HIBP – dark web monitoring searches for compromises of your entire business domain, rather than just a single individual’s credentials. A dedicated dark web monitoring partner can also inform you immediately of any compromises, allowing your business to act swiftly.
If you do not use a unique password for each website or service, now is the time to start doing so. If you have concern over remembering so many passwords, consider using a password manager such as 1Password. This is far more secure than using a single password across multiple services.
Review your password strength – do they contain random alphanumeric, mixed case, and special characters? If not, it is highly recommended that you review your existing passwords.
Our free-to-use password tools estimate how long it would take for your passwords to be cracked and offer a random password generator.
Consider multi-factor authentication – single-factor, no matter how secure, is no longer enough. By using multi-factor authentication, you can use your mobile phone or an authenticator tool, meaning that any login attempts must be approved directly by yourself.