A collection of 16 billion login credentials has been discovered by security researchers. Despite the huge number, the researcher say the real problem is just how commonly records appear online.

The discovery was made by Cybernews which assigned researchers to trawl as many online locations as possible to discover records. They found 30 datasets, of which just one had been widely known about and reported in the media. (Source: cybernews.com)

The datasets ranged from one of "just" 16 million records to one, apparently made up of details of Portuguese speakers, which had 3.5 billion records.

Few Sites Safe

The figures are so huge that some questions about it just can't be answered, while with others the answers are virtually inevitable. For example, it's on such a scale that it seems a very safe vet that passwords from any major online service imaginable are in it.

It's also very clear that there will be some degree of duplication across the different datasets. At the same time there will almost certainly be many individuals who have multiple accounts represented among the data. (Source: techradar.com)

Cybernews didn't publicly make clear if some or all of the datasets were encrypted. That would slow down any encryption, though that datasets potentially being accessible and downloadable means attackers would have time to use both targeted and brute force decryption.

They could also use the details for phishing attacks. For example, simply knowing somebody's email address and user name for a particular online service makes it easier to send a more plausible scam message.

Regular Breaches

According to Cybernews, the real problem is that large-scale databases are appearing online regularly. They say the datasets appear to be a combination of leaks (including from databases that are temporarily online without protection) and the results of malware specifically designed to harvest login details. Some simply trawl both websites and compromised networks for anything that appears to be in a login database format.

The sheer scale of the discover is a reminder that good security practice includes three key steps. First, passwords need to be long to make decryption attempts as possible. Second, changing passwords regularly increases the chances of a leaked database being out of date before an attack. Finally, using unique passwords for different sites contains the potential risk if attackers do discover or decrypt a valid password.

What's Your Opinion?

Are you surprised by the size of this collection of passwords? Is it realistic to think we can ever stop large-scale password breaches? What measures do you take to reduce your risk of exposure to such breaches?