Two databases collecting hundreds of millions of compromised credentials—usernames and passwords stolen by attackers or leaked to the Web—were exposed this week in separate incidents.
On May 5, security services provider Hold Security reported that a Russian hacker had given the firm a database of 272 million unique credentials, more than 42 million of which the company had not previously encountered. The announcement came two days after a report came out that a vulnerability in the PwnedList service of security firm InfoArmor had exposed the company’s database of 822 million stolen credentials. In that incident, a security researcher found a flaw that could allow anyone to retrieve compromised data from the database.
InfoArmor downplayed the risk that the vulnerability in its Website poses, pointing out that the credentials were already available on the Internet and that the service had been patched before the incident was reported.
“The patch was applied immediately and before the story broke,” Byron Rashed, a spokesman for InfoArmor, told eWEEK in an email interview. “The process that was undertaken to access this vulnerability was extensive, it was not easy to do or ever done before.”
The company also stressed that the database had not been previously abused in the same way. “We have no other subscriber who ever attempted to do this or added any domain to their own watch list,” he said.
Self-described security enthusiast Bob Hodges and security journalist Brian Krebs both used the vulnerability to access the site for demonstration purposes.
The incidents do underscore the massive trade in online users’ credentials. The database collected from the Russian hacker by Hold Security contained aggregated information from many breaches, Alex Holden, founder and chief information security officer of the firm, told eWEEK.
“While it looked like the person worked alone to collect the data—he did not mention anyone else as part of his group—he mentioned that he collected this over a long period of time,” Holden said.
Because both databases of credentials had previously been compromised, the security community debated whether the incidents constituted leaks.
“This was not a breach by any means; it was a vulnerability in the code of the website,” InfoArmor’s Rashed said. “The sample data that was retrieved … were credentials that can be readily found on the Internet.”
Yet, the incidents highlight that compromised credentials do pose a significant danger. Hold Security found that the vast majority of compromised credentials in the database obtained by the firm were unencrypted, which means that anyone could have used them.
“One of the more disturbing details for us is that the credentials were not encrypted,” Holden said. “We manually reviewed sections of the data and saw an insignificant fraction of the passwords encrypted.”