11 May 2017

TLP Rating: White

1 billion username and password credentials released

Over the past few days, a significant number of username/email address and password combinations have been released publicly, in lists known as Anti-Public and Exploit.in. In total, over 1 billion sets of details have been released.

  • The Anti-public list has been in use since December 2016. It contains 458 million unique email addresses, many alongside multiple different passwords. This suggests they were stolen from multiple sites and online spaces.
  • The Exploit.in list appears to have been in use since late 2016, although the information has only recently been published in accessible forums. This list contains 593 million unique email addresses.

At this time, the sources these credentials were stolen from is unknown. However, security specialist Troy Hunt has said that there are only 222 million instances of crossover between the two lists, which suggests that they’ve likely originated from different places. This also means that there’s a variation in the age of the credentials — some are years old, while some are more current.

It’s highly likely that these email addresses and passwords will be used for 'credential stuffing' attempts. Attackers will try the email and password combinations on different websites to see where passwords may have been reused, in order to gain access to a wide range of personal and financial information.

As a proactive measure, organisations like Spotify and DigitalOcean are encouraging all users to change their passwords urgently.