- A large database of usernames, passwords and credit card information has been leaked to kayo.moe.
- The operator of the file-sharing website sent the database to Troy Hunt to be listed as a data breach.
- The leak was most likely caused due to credential stuffing by affected users.
Security Researcher Troy Hunt was notified about a massive data breach recently with almost 42 million users affected. A database containing usernames and passwords of 41,826,763 users was uploaded in plain-text format. Some of the entries also contained credit card information.
The Breach has been listed in popular website Have I Been Pwned. If you want to check if you have been affected by any known data breach, you can head to the website and simply put in your email address to get a report. It is likely that the users who had their passwords leaked have been affected due to credential stuffing. Many internet users often use the same username and passwords on multiple websites for convenience, which makes it easy for attackers to exploit multiple accounts at the same time.
Security researcher Troy Hunt revealed “When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I’ve never seen before. (Later, after loading the entire data set, that figure went up to 93%.).”
Hunt revealed that over 91% of the usernames and passwords were already listed on his website. The filenames and the collection of passwords do not point towards a particular source according to the security researcher.
To secure yourself against attacks, it is recommended not to recycle passwords across multiple websites as a single data breach can cause multiple accounts to get exploited. Cybercriminals often trade usernames and passwords on the dark web, which can be very dangerous for users who have access to sensitive personal data. Enabling two-factor authentication can also help greatly against attacks.