A massive database of hacked (or otherwise leaked) user credentials is available on the dark web, carrying details pertaining to a staggering 1.4 billion people.

Note that this isn’t a fresh data breach, but rather a compendium of past breaches, all collated together into one mega-file, with the hard work already done in terms of the fact that the data is unencrypted (it has already been cracked, if the data in question was encrypted in the first place – not always the case with some security breaches).

According to security researchers from 4iQ, the file weighs in at 41GB and as mentioned carries 1.4 billion username, email and password credentials, all in plaintext (unencrypted).

This is a worrying move indeed, given that it makes things much easier for cybercriminals to gain convenient and wider access to a bunch of potentially still functional logins, even if this data dates back some time.

You would hope that many of the passwords would have been changed since, but according to Julio Casal, founder of 4iQ: “None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true.”

Part of the problem is that even if the hacked password has been changed on the site it was stolen from, the user may have reused that password on another site.

Organized cybercrime

The passwords are also well organized, being indexed and alphabetized, so the vast database is easy to search.

This is all part of the trend of things becoming easier for the ne’er-do-wells who lurk on the net and dark web. These days you can even buy ransomware-as-a-service, and easy-to-use toolkits to spread malware and exploit unfortunate victims online.

4iQ further notes that this file aggregates around 250 old breaches, including many known breaches such as LinkedIn, Netflix, Last.FM and YouPorn, and it’s coming on for twice as large as the previous biggest credential exposure (which aggregated almost 800 million credentials).

While, as mentioned, much of the data is from old breaches already known in the hacker community, 4iQ found that 14% of the username and passwords had not previously been available in readily-usable decrypted form.

You might well ask what’s in it for the person who took the time to put together this mega-file? As Wccftech.com reports, the author has added details of a Bitcoin wallet for those who feel the project is worthy of giving a donation.

Finally, which was the most commonly used password amongst these cracked credentials? It’ll be no surprise to find out that it was the incredulously unsophisticated ‘123456’. Encryption aside, cracking passwords really can be as easy as 1-2-3, pretty much, it seems…