
1.4B Clear Text Credentials Discovered in a Single Database - heywire
https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14
======
LeonM
How comes that 'homelesspa' ranks 13 on the most used passwords? I mean, I
understand why '123456' and 'password' are in the list, but a seemingly random
combination of words such as 'homelesspa'?

I did found this:
[https://twitter.com/clinton_ngn/status/736247662866006018](https://twitter.com/clinton_ngn/status/736247662866006018)
But no real explanation

~~~
kevin_thibedeau
Could be added to detect who is scanning with this list. Akin to mapmakers
adding fake streets.

~~~
dabber
Map makers add fake streets to mark their maps?

~~~
bklaasen
Yes, they're called "trap streets":
[https://en.m.wikipedia.org/wiki/Trap_street](https://en.m.wikipedia.org/wiki/Trap_street)

------
sschueller
Where can I download this dump so I can find out if any of my accounts are in
it?

~~~
varren
[https://www.reddit.com/r/pwned/comments/7hhqfo/combination_o...](https://www.reddit.com/r/pwned/comments/7hhqfo/combination_of_many_breaches/)

~~~
gregsadetsky
Thanks a lot for the link! I ended up downloading the database, and going
through all of my email contacts to see who was affected to write to them
individually.

About 7/10 frequently contacted people were in the database (...!). About half
of those let me know that the passwords were not in use anymore. The other
half was very, very grateful...!

It was a great time to remind them about password managers, 2fa, etc.

------
marksomnian
Title is exaggerating; this "single database" is actually an aggregate of many
previous breach dumps.

~~~
snarfy
Which makes the aggregate a single database.

~~~
breakingcups
Yes, but it is not like a single service has been breached to leak that many
accounts, significantly reducing the relevance and impact of this particular
database.

Anyone can compile a list such as this from other big dumps without much
trouble, you just need some disk space.

~~~
coldtea
> _Yes, but it is not like a single service has been breached to leak that
> many accounts, significantly reducing the relevance and impact of this
> particular database._

Err, it actually increases its relevance and impact. With the same database
now a hacker can reach multiple services...

------
rando444
A couple of the constant examples of password reuse that can be found:

 _proceeds to list domain names that are aliases of one another_

Also the whole describing the thing as a database and saying it's fast because
it's alphabetical...

At least describe what kind of database you're talking about so we can
understand why an index isn't possible.

------
Johnny555
This seems odd:

 _This database makes finding passwords faster and easier than ever before. As
an example searching for “admin,” “administrator” and “root” returned 226,631
passwords of admin users in a few seconds._

Out of 1.4B credentials there are only 226K for admin, administrator and root?

~~~
pedalpete
We're talking account passwords for web services mostly, right?

I think that would explain why admin, administrator and root are rarely used
as usernames.

------
jokoon
I checked, most are outdated passwords.

Odd thing, I checked with other people, and they don't remember those as old
passwords.

I even found passwords I don't remember...

------
campuscodi
This article is such garbage... it was tore apart in a /r/netsec discussion
just last night.

[https://www.reddit.com/r/netsec/comments/7ikbzo/14_billion_c...](https://www.reddit.com/r/netsec/comments/7ikbzo/14_billion_clear_text_credentials_discovered_in_a/)

