Over One Billion Email-Password Combos Leaked Online (Dec 12, 2019)
An unsecured Elasticsearch database containing 2.7 billion email addresses and more than a billion plain text passwords was discovered in early December 2019 and publicly available for nine days before being disabled. Security researcher Bob Diachenko discovered the database and notified the ISP hosting the IP address, and worked with Comparitech researchers to conclude that much of the data was harvested from “The Big Asian Leak” of 2017. The leak involved breached credentials from multiple internet companies across Asia, mainly featuring email usernames and passwords used on Chinese sites. The 1.5TB leak may have also contained phone numbers and other identifying numbers where English characters were required for Chinese usernames. It is unclear as of this writing who the owner of the exposed database is, and if it was intentionally set up for credential stuffing campaigns.
Recommendation: It is recommended that all individuals impacted by a data breach like this one change passwords and login credentials straight away; especially if the same password is used for multiple online accounts. Additionally, phishing attacks and credential stuffing campaigns are likely to follow because of the large number of email addresses that have become available to threat actors.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.