Jump to content

- - - - -

10 things to learn from the 1 400 000 000 passwords/emails leaked to public

  • Please log in to reply
4 replies to this topic

#1 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10545 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
    European Union

Posted 01 January 2018 - 06:06 PM


Just writing 1.4 billion doesn't work.
To visually understand how big this recent leak of data was, you really need to count slowly the zeros on the title of this post.
That's data that anyone with some time will be able to find. It is not awfully recent, it is from about 2016 and most of the major websites such as google, linkedin, dropbox and similar have already forced their customers to change the password they were using.
Still, (and this is a big still), The amount of information that you can extract from this database with 1400000000 user accounts is simply gigantic.
10 things anyone can learn about you:

  • Knowing your old password means that anyone can also query that same password and find other email accounts that you are using  (for example, gmail accounts)
  • An attacker can likely spot a pattern that they can try in other sites. For example: "linkedin1970" as password will give a hint that they can try at other sites replacing the "linkedin" portion
  • For big organizations, it is hundreds if not thousands of email addresses from real employees that can now be targeted for phishing
  • Passwords are intimate, often reveal what is on the mind of the user. Some passwords are too revealing (e.g. sexual orientation, religion, romantic partners) and this information can be used against them (blackmail, defamation)
  • Revealing identities, you have people belonging to a company or organization that do not want this information to be public
  • Email patterns, learn the pattern under which the emails are created such as "John.Doe@acme.com", "jdoe@acme.com", "john@acme.com" or some other combination that helps attackers to guess the email address of another person inside the same company that they want to target
  • Discovering your nationality or real name, based on the country portion of the domains where your accounts are using
  • Discovering previous companies where a person has worked
  • Get direct email access to the CEO/CTO of smaller companies
  • Passwords hint your security knowledge. Looking at the same organisation, a person using special characters will look more knowledgeable than another using only simple words. This helps attackers to pick users likely to fall for social engineering traps  

The potential for misuse and abuse is there.
Passed a good part of last week looking at the data, cleaning up the records and verifying their authenticity. This data is real, even my mom had her password listed there.
Some cases were just weird. While looking up for the name of a known criminal as test, the first match indicates that he had an email account with a very small email provider in Switzerland.  In other cases such as the accounts from domains belonging to football clubs, the large majority of these passwords included the name of the football club inside them (e.g. "benfica1"). One of these clubs had recently passed through problems as their emails got leaked to public. After looking at their password practices, I can really understand why it wasn't that difficult to guess them.
What seems more troubling is the amount of people using their company emails for registration in external sites. Certainly in many cases it is a necessary action, can't stress enough that this type of thing should be avoided as much as possible.
Change your passwords and use two-step authentication when available.
My friends, stay safe out there and all the best for this 2018 that now starts.


  • Blackcrack likes this

#2 Blackcrack


    Frequent Member

  • Advanced user
  • 403 posts

Posted 02 January 2018 - 07:32 AM

Happy new Year !


(i had wrote so many, but it was not cached

and as i am alt+r for a reg-sign(or so)

was the whole wrote gone as i am go backward :\ )

  • Nuno Brito likes this

#3 AnonVendetta


    Silver Member

  • Advanced user
  • 713 posts
  • Location:A new beginning.....
  • Interests:Self-development, computing

Posted 03 January 2018 - 03:39 AM

I don't know who you are but.....



#4 abbeyslinger

  • Members
  • 6 posts
    New Zealand

Posted 19 April 2018 - 08:31 AM

How about using a password manager and not avoid using public Wi-Fi

#5 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10545 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
    European Union

Posted 19 April 2018 - 08:34 AM

Good point. I wonder how many people will really use a password manager.

Even so, wouldn't the password manager also be possible to attack by bruteforce and password guessing?

From that perspective, assuming my laptop has a keylogger installed then the keylogger would be able to track the master password and then access everything.

Whereas today one can still use human memory to store a few passwords. Hm, not easy of a choice.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users