1.4 Billion Stolen Passwords Found On Dark Web Forum

A stark reminder to us all about password security

More than 1.4 billion stolen passwords and other credentials have been found in a plain text file, which was posted in a dark web forum. Security threat intelligence company 4iQ discovered the 41GB file on 5th December, and after a few days of sifting through the data, it reported on its findings so far.

The data dump is said to be twice as large as the previous record holder, the Exploit.in list that contained 797 sets of credentials.

The majority of the information in this file actually comes from previous breaches, including Exploit.in, but sadly this doesn’t actually mean the credentials have been updated. In fact, 4iQ contacted some of the people affected by this breach, and many were still using the passwords contained in this file. And as well as these older records, there were millions of new ones.

That’s worrying, of course, because it shows that many organisations still aren’t doing enough to protect the data they have in their possession.

What’s perhaps more concerning, though, is how terrible some of these stolen passwords are. Not only do these credentials show how people reuse the same passwords, often with little or no variation, they reveal that even the passwords everyone should know to avoid are still being used by large numbers of people.

Top of the list was ‘123456’, followed by ‘123456789’, ‘qwerty’ and ‘password.’ Of course, some of the older account details could have been updated by now, but honestly, there’s way of knowing just how many of them are still being used.

Are Yours Among The Stolen Passwords?

Right now, there’s no way to check. 4iQ hasn’t actually said where it found this file, and it hasn’t provided any method of checking if your details are included in it. Whether such a facility will eventually be offered is entirely up to 4iQ.

But while you can’t find out whether you’re on the 4iQ list, you can find out if your details have been part of other leaked lists. Simply type your email address in at Have I Been Pwned?, and you’ll see if it’s appeared in some of the biggest data breaches of recent times. Your passwords won’t be revealed, but you will be able to see which sites have been affected. You should, of course, change those passwords immediately, and if you’ve used them elsewhere, change them there too.

And remember, when you’re picking new passwords, don’t simply use variations of the existing ones. Use a password manager or follow our straightforward password advice.

By having strong unique passwords on every site, even if you end up on one of these lists, criminals won’t be able to use that information to get into your other accounts.


Is your business’s security up to scratch? To find out, contact TMB to arrange a free security audit.

Leave a Reply

Your email address will not be published.