Researcher trawls cybercrime sites, collects billions of stolen credentials

A security researcher who took it upon himself to collect credentials data from locations where cybercriminals had published it discovered nearly 2 billion unique email addresses, along with 1.3 billion passwords.

The data has been verified, indexed and uploaded to Australian breach site HaveIBeenPwned.com, run by Troy Hunt, which sent out alerts today to registered users who monitor for credentials leaks for free.

Final-year college student Ben Brundage runs Synthient, a company that devised a threat intelligence system which aims to capture as much unique data as possible for close-to real time alerting.

It trawled 30 billion messages from comms and social app Telegram, forums with infostealer malware logs and database dumps published, and social media sites to gather data on credentials captured by digital criminals.

Telegram turned out to be the largest data source, with a single account being able to ingest as many as 50 million credentials posted in a single day, Brundage said.

The credentials are sold by a different groups of infostealers: primary sellers that manage key operations, aggregators of logs that are shared on public channels, and "traffers" that spread malware while cooperating with sellers.

Brundage and Synthient said that when they started the process, they had no idea how much data it would entail.

"It quickly became apparent that we had neither the time nor the resources to continue, which is why we’ve donated the data to Have I Been Pwned," Brundage said.

Brundage said he hopes by providing the data set to Have I Been Pwned that victims can secure themselves.

The data has been collected since April this year, with the corpus being about 3.5 terabytes in size, Hunt wrote in October.

It comprises both malware infostealer logs and credential stuffing lists. 

The former contain website links, and email addresses and passwords that users have entered to log in.

Credentials stuffing exploits password reuse across multiple sites; when attackers get hold of credentials for one particular site, they can try them on thousands of others using automated bots to gain account access.

Much of the data found by Brundage and Synthient is aggregated from prior data breaches, but Hunt said millions of addresses that had not previously been published and loaded into Have I Been Pwned.