To visually understand how big this recent leak of data was, you really need to count slowly the zeros on the title of this post.
Still, (and this is a big still), The amount of information that you can extract from this database with 1400000000 user accounts is simply gigantic.
10 things anyone can learn about you:
- Knowing your old password means that anyone can also query that same password and find other email accounts that you are using (for example, gmail accounts)
- An attacker can likely spot a pattern that they can try in other sites. For example: "linkedin1970" as password will give a hint that they can try at other sites replacing the "linkedin" portion
- For big organizations, it is hundreds if not thousands of email addresses from real employees that can now be targeted for phishing
- Passwords are intimate, often reveal what is on the mind of the user. Some passwords are too revealing (e.g. sexual orientation, religion, romantic partners) and this information can be used against them (blackmail, defamation)
- Revealing identities, you have people belonging to a company or organization that do not want this information to be public
- Email patterns, learn the pattern under which the emails are created such as "John.Doe@acme.com", "email@example.com", "firstname.lastname@example.org" or some other combination that helps attackers to guess the email address of another person inside the same company that they want to target
- Discovering your nationality or real name, based on the country portion of the domains where your accounts are using
- Discovering previous companies where a person has worked
- Get direct email access to the CEO/CTO of smaller companies
- Passwords hint your security knowledge. Looking at the same organisation, a person using special characters will look more knowledgeable than another using only simple words. This helps attackers to pick users likely to fall for social engineering traps
The potential for misuse and abuse is there.
Passed a good part of last week looking at the data, cleaning up the records and verifying their authenticity. This data is real, even my mom had her password listed there.
Some cases were just weird. While looking up for the name of a known criminal as test, the first match indicates that he had an email account with a very small email provider in Switzerland. In other cases such as the accounts from domains belonging to football clubs, the large majority of these passwords included the name of the football club inside them (e.g. "benfica1"). One of these clubs had recently passed through problems as their emails got leaked to public. After looking at their password practices, I can really understand why it wasn't that difficult to guess them.
What seems more troubling is the amount of people using their company emails for registration in external sites. Certainly in many cases it is a necessary action, can't stress enough that this type of thing should be avoided as much as possible.
Change your passwords and use two-step authentication when available. Over the next two weeks we will see so many people losing their privacy, so please change your own passwords without delay.
Want to help your friends? Make sure they read this page so they can also learn. That's good karma being built on 2018 right from the start.
Stay safe out there.