Threat Intelligence Blog

Posted March 23, 2017

By Steven Weinstein

Data breaches are unfortunately the norm now. From high profile breaches impacting millions of consumers’ personally identifiable information (PII), financial information, and account data to smaller breaches affecting login credentials of thousands of users, it’s only a matter of time before we’ve all been impacted in some way.

We Collected 3 Billion Unique Credential Pairs – Here’s What We LearnedRecently, the LookingGlass Cyber Threat Intelligence Group (CTIG) collected our 3 billionth unique credential pair (the combination of a username/email address along with its password data). CTIG collects breach data and credential dumps to help customers mitigate risk and determine which identified credentials they should be concerned with to reduce the noise surrounding the volume of alerts they receive.

So, what did we learn in the process?

Breach data is a commodity. Buying or trading for the data supports a booming underground economy that incentivizes attackers and data brokers. The data is often posted freely or offered for sale on paste sites or underground forums, which has led actors looking to exploit every opportunity to make money. Actors frequently claim they have breached a website or service and ask for Bitcoins for payment for the full data dump, offering proof by posting the first thousand account logins. In our experience, however, this “proof” is often a list of credentials recycled from previous data breaches.

Stolen credentials pose real risk. Credentials found in data breaches have been a primary source for credential stuffing attacks, in which attackers automate attempts to log in with stolen credentials, resulting in account takeovers and fraud. Although these attacks are trivial to detect and defend against, depending on the organization and types of valid user accounts that are broken into, these attacks can cause millions of dollars of impact. Additionally, specific high profile users including executives, celebrities, politicians, etc. have been targeted and have had their accounts taken over because their credentials were found in breach data.

People still use horrible passwords. Our entire dataset, which spans breach data from hacks over the past 10+ years, reflects the long-understood notion that people choose terrible passwords. Below are the top 10 passwords observed throughout our entire database:
data breach

Users aren’t the only ones at fault. Although users are still using insecure passwords, the websites that get breached need to have more accountability for not only the proper encryption and storage of user data, but also for keeping their technology up to date and patched. Additionally, websites need to enforce much stricter password policies for their users. Many companies and websites (including ones with hundreds of millions of users!) still use poor hashing algorithms with no salts or even no hashing at all, which results in hackers easily and quickly cracking most user passwords. However, even though many sites use stronger hashing algorithms, many breaches include full database dumps which reveal salts for each user.

Overall, it took us 10,439 credential dumps to hit the massive three billion unique credential pairs mark, that we collected in automated and manual means from both the surface and dark web. Because of the nature of users to reuse passwords across multiple sites, as well as large amounts of recycled credential pairs, it took us 3,763,289,569 credential pairs to reach 3,000,974,740 unique pairs. Below is a graph showing the growth of the total number of credential pairs we’ve collected:
data breach

Of the 10,439 dumps we’ve collected since September 2014, the average number of records is 366,517, while the median is only 3,324. This can be easily explained by the fact that most credentials lists we collect come from paste sites, which usually have size limits on the amount of data that can be posted.

So far, 2017 has not resulted in the same volume of “mega breaches” that were announced in 2016, the market for data breaches in underground communities remains strong. We anticipate more breach announcements this year that will take advantage of the still red hot underground data breach market, which will result in organizations continuing to need to fight against account takeovers and fraud.

One way to proactively get ahead of a data breach is early detection and warning of data dumps. LookingGlass Compromised Information Monitoring provides continuous, automated discovery of stolen and compromised credentials across the web, underground forums and the darknet. Learn more at

Additional Posts

The CyberWire Daily Podcast for 03.23.17

In today's podcast we offer a rundown of recently announced threats and vulnerabilities in stores ...

LookingGlass Cyber Solutions Inaugurates New Corporate Headquarters

Reston, VA – March 22, 2017—LookingGlass® Cyber Solutions, a leader in threat ...