- Billions of email addresses and passwords have been exposed via an unprotected database.
- Part of the data is attributed to a leak that occurred two years ago and resulted in a darknet sell.
- The exposure concerns billions of people and involves plain-text passwords and email addresses.
Comparitech and Bob Diachenko have discovered a publicly accessible database that contained 2.7 billion email addresses and one billion passwords in plan-text form. The passwords are not from an entirely different set but correspond to some of the email addresses in the same database, which is catastrophic for the exposed individuals. The owner of the database couldn’t be determined, but the majority of the email addresses originate from the following domains: “qq.com”, “139.com”, “163.com”, “126.com”, “gfan.com”, and “game.sohu.com”. These domains belong to Tencent, Sina, Sohu, and NetEase, all of which are Chinese internet service providers.
This means that the exposed people are customers of the above companies, and the credentials are most probably concerning user accounts that have been set up for client forum access, customer portal access, etc. This is why there’s a mix of Yahoo, Gmail, Rambler, and Mail.ru accounts. Upon further investigation, the researchers have determined that the set of the emails that are accompanied by plain-text passwords originate from a previous leak, called the “Big Asian Leak”, and which occurred in January 2017. That said, the database was partially populated with entries that were sourced from the dark web.
The discovery took place on December 4, 2019, and the ISP that hosted the IP address took it down on December 9, 2019. The first indexing date on BinaryEdge is December 1, 2019, so the 1.5 TB of data was left open to access by anyone for at least eight days. While part of this data had been exposed previously, the newly added email addresses were not. These new entries contain the MD5, SHA1, and SHA256 hashes of each email address, so a conclusion that can be drawn is that the particular database was used for parsing and performing searches of relational data.
Other domains that have been confirmed to be impacted by this leak include the following: TOM Online (tom.com), Eyou (eyou.com), SK Communications (nate.com), Google (gmail.com), Yahoo (yahoo.com), Hotmail (hotmail.com), Yeah.net, and QQ (qq.com). If you have not changed your password on these platforms since 2017, you are urged to do so immediately. Also, resetting common credentials everywhere that you may be using them goes without saying if you want to avoid falling victim to credential stuffing attacks.