The world’s biggest stolen data archive is about to reach 10 billion personal records

Scammers who rely on internet users recycling their passwords are selling people's Netflix logins on social media
Stolen Netflix accounts are being sold after users have their recycled login details harvested from other data breaches
YTCount/Pixabay

The world’s biggest repository holding people’s stolen data is about to reach a milestone of 10 billion hacked personal records - but does not even include victims of the latest EasyJet data breach.

Many millions more account logins, email addresses and passwords have leaked online as businesses battled to contain commercial fallout from coronavirus.

Security researcher Tory Hunt, founder of Have I Been Pwned, has collected nearly 9.8 billion records from corporate data breaches, including Dropbox, Yahoo and LinkedIn, so victims can check if their often recycled login credentials were compromised.

He said scammers buy “dictionaries” of account credentials from dark net market sites before programming automated botnets to pummel popular websites with people’s reused logins, often thousands of times per second, hoping to gain access.

The legitimate user then finds themselves locked out and their login for sites such as Netflix and Spotify end up hawked on social media.

A tweet claiming to offer hacked logins to popular online services
Via Twitter

Twitter said it was trying to crack down on the trade in stolen logins offered on the platform, where users also vent their frustration at being locked out of their breached accounts.

Data theft emerging during the pandemic included Mathway, a popular maths-solving smartphone app, which saw 25 million user records stolen and uploaded up for sale on the dark net.

Twitter has pledged to crack down on the illicit trade, but posts like this keep appearing
Via Twitter

Marketing lead-generation firm Leadhunter lost more than 110 million records from an unsecured database in March.

Meanwhile, EasyJet is facing a lawsuit from more than 10,000 people over a data breach disclosed last month that potentially disclosed private details of nine million passengers.

Security researcher Troy Hunt said scammer use automated bots in attempts breach huge numbers of accounts
Troy Hunt

Mr Hunt, a Microsoft regional director, predicts his repository will pass 10 billion records in the coming months, with one new “incident” reported to him every four days.

He said: “This is not secreted away in some corner of the internet that’s hard for people to get to, it’s out there in public - billions of records, email addresses and passwords.”

Amid a crisis in personal data flowing around the web, Mr Hunt advises simply writing down novel passwords in a locked-away notebook can offer a more secure analogue solution.

EasyJey is facing a lawsuit over a data breach disclosed in May
PA

He said: “We have a lot of usernames and passwords get leaked all over the place, and people tend to reuse their passwords.

“As soon as there’s a data breach, anyone who has access to that data - which is every kid and his mate these days - can now get into your account.

“Ninety per cent-plus of the world at the moment has got the same few passwords memorised in their head.

“What is the risk of you writing things down in a notebook, an analogue password manager?

“The reality of it is that a book is far, far better for the vast majority of people than what they’re doing at the moment, and a digital password manager is even better.”

A Twitter spokesman said: "It is against our rules to share hacked materials and our counterfeit policy prohibits the offer, promotion, sale or facilitation of unauthorised access to content, including digital goods.

"We take robust enforcement action where we identify violations."

Netflix said it monitors the web for data breaches, warns that passwords should not be reused and notifies customers if their credentials have been compromised.

Spotify has been contacted for comment.

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in