Millions of leaked credentials are lurking on the web, shared between cybercriminals through various channels, cybersecurity firm Synthient has discovered.
By aggregating data from several platforms, including Telegram channels, forums, social media sites, and the Tor network, Synthient created a large database of leaked credentials, containing 183 million unique email addresses.
Most of the credentials, the company explains, were mainly shared on Telegram, and originate from information stealer infections. They were not exfiltrated by hacking into organizations, but by infecting users with malware.
The data comes from primary sellers of stolen information, aggregators who collect infostealer logs and repost the information on their channels, and miscreants who spread malware used by primary sellers.
Focused on better understanding adversary infrastructure, Synthient built a system to collect and parse through all the leaked information, then compiled the data and sent it to the data breach notification service Have I Been Pwned.
The 3.5 terabytes database contained 23 billion rows, including leaked email addresses, passwords, and the websites on which the credentials have been used, Have I Been Pwned maintainer Troy Hunt explains.
Most of the credentials aggregated by Synthient, he notes, were already present in Have I Been Pwned’s database. Only 9% were not in previous data breaches added to the service, but those represent a hefty number: 16.4 million email addresses.
Hunt verified that the data is genuine, and now the email addresses, along with the websites they were used on, are searchable on Have I Been Pwned.
Hunt also noted that, in addition to infostealer logs, the Synthient data contained credential stuffing lists, which are typically collected from data breaches and then used to take over accounts on various online platforms.
But the data collected by Synthient did not originate from a single data breach, let alone one at Gmail, as the headlines on multiple news outlets read over the past several days, and which prompted a firm response from Google.
“Reports of a ‘Gmail security breach impacting millions of users’ are false. […] The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform,” Google said on X.
The best protection against credential theft, Google points out, is using multi-factor authentication (MFA) and switching to passkeys, which are safer than passwords. Users should promptly reset their passwords when large batches of leaked credentials emerge, the company added.
“The significant volume of passwords that are compromised annually should be a very motivating factor in enabling MFA and should drive people to consider the importance of securing accounts, especially email accounts,” KnowBe4 CISO advisor Erich Kron said.
Related: SonicWall Prompts Password Resets After Hackers Obtain Firewall Configurations
Related: Plex Urges Password Resets Following Data Breach
Related: Russian Government Hackers Caught Buying Passwords from Cybercriminals
