IBM says that more than four billion records were leaked online in 2016, including a mix of credit card data, passwords and personal health information. The number of different bits about people’s private lives leaked online last year were up from 600 million exposed records in 2015, and one billion exposed records in 2014.
A hallmark of 2016 though was an abundance of data from sources other than databases, such as email, documents, intellectual property and source code, otherwise known as ‘unstructured data’
“Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways,” said Caleb Barlow, vice president of Threat Intelligence at IBM Security.
Let year's bumper headline figure for leaked records was a consequence of firms disclosing old breaches after their belated discovery. Large portions of the personal data discovered to have ben public in 2016 were actually being shared among cybercriminals for several years. In some cases the exact date of the breach is not known.
The most significant discovery in 2016 came with Yahoo’s admission that hackers managed to grab 500 million credentials in 2014, and one billion records in 2013. Other aging breaches disclosed in 2016 that occurred in years prior affected 117 million LinkedIn users, and tens of millions of Dropbox and last.fm users.
While the leaks are old, and might therefore be dismissed as irrelevant, the danger lies in the fact that people tend to keep using old passwords for years. Compounding this risk is that online companies back then used hashing algorithms, such as MD5, that today can’t withstand password cracking attempts using modern chips.
“Many Internet giants previously used easy-to-crack hashing algorithms such as MD5. The result is that there are billions of email and plain-text password combinations available for those interested in purchasing them—and many of these parties have successfully used these credentials to hijack accounts on other sites and services,” IBM notes.
Due to mass password leaks in recent years, cybercriminals have gained access to a solid list of commonly used passwords that can be used to enhance cracking attempts. IBM recommends that any firm that has an online signup process reject common passwords.