10 billion exposed credentials and where to find them
Researchers at password manager NordPass have identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords, and phone numbers.
The databases are found across 20 different countries, with China being at the top of the list -- the country has nearly 4,000 exposed databases. This means that potentially more than 2.6 billion users could have had their accounts breached.
The United States comes second, with nearly 3,000 unsecured databases and almost 2.3 billion entries made available online. India is third, with 520 unsecured databases and 4,878,723 exposed entries.
Finding these databases isn't hard, search engines like Censys or Shodan scan the web constantly and let anyone view open databases in just a few clicks. If the database managers have used the default logins then getting access is simple too.
"In fact, with proper equipment, you could easily scan the whole internet on your own in just 40 minutes," says Chad Hammond, security expert at NordPass.
Recently, unsecured databases have been hit by a 'Meow' attack, which wiped clean thousands of them. "These kinds of attacks are very frequent. Usually, the attacker asks for ransom. This attack seems to be different only because the hackers deleted the data instead of asking for ransom," adds Hammond. "The Meow attack against unsecured databases should only reinforce the need for proper data security. And while some of the affected databases only contained testing data, the Meow attack targeted some high-level victims, among which was one of the biggest payment platforms in Africa." Hammond estimates that 39 percent of all databases have already been hit by one of these attacks.
To protect themselves properly companies should encrypt data using trusted and robust algorithms instead of custom or random methods. It's also important to select appropriate key lengths to protect systems from attack. Identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources. There also needs to be a security team responsible for vulnerability management and able to detect any vulnerabilities early on.
Users need to take care too says Hammond, "The fact that we have more than 10 billion passwords up for grabs should only encourage people to think of strong, lengthy passwords. If your password is '12345', no firewall in the world will protect your data. Your password shouldn't be a dictionary word either -- an average person uses only about 20,000-30,000 words, so chances are that all of them are already among those 10 billion."
You can find out more about securing credentials on the NordPass blog.