The cyber intelligence company, 4iQ has located a file in the 'dark web' that contained 1,4 Billion credentials, which makes it the largest base of stolen passwords known to date. The finding has served to verify that the level of complexity of passwords remains mostly low.

The database contained 1.4 billion identifiers (41 gigabytes in size) with their passwords in the clear. According to 4iQ, the magnitude of this leak marks a new record. The previous largest data leak was almost twice as small with 797 million identifiers.


This amount of data aggregates 252 different sources of identifiers, including the hacks from recent years: LinkedIn, Lastfm, YouPorn, Fling, and more. It is organized in an alphabetical way and allows, thanks to script users, to carry out quickly searches and analyses. In addition to credentials stolen from sites like LinkedIn, small leaks affected sites like Bitcoin and Pastebin.

Interactive database

Julio Casal, CTO at 4iQ has warned that this file contains more than just a list, but also an interactive database that allows access to more leaks, taking into account that many people use the same password for multiple services online.

The encrypted file makes locating passwords faster and easier than ever since the search for a certain concept such as 'admin' returns several tens of thousands of keys in a few seconds.

The credentials are listed alphabetically, so it shows patterns and trends on how the keys are established or how they are reused. At the level of the most used passwords, there is not much surprise. 4iQ has also disclosed the 40 most repeated passwords in this list.

According to the firm, '123456' is the most used; it appears in more than 9.2 million accounts followed by '123456789', which is present in more than 3.1 million accounts while 'qwerty' was found in more than 1.6 million profiles. Another popular simple code is 'password.'.

The company has tested some of these credentials and the majority have been shown to be valid.


Goldmine for hackers

For hackers, such a database is a godsend because it speeds attacks by performing statistical analysis of how users use and change their passwords. The leak showed those who reuse the same password on different sites and those who rely on simplistic variants. This database proves, once again, the importance of using a password manager to create and store complex and different codes for each site or service.