Database with passwords appeared on public hosting

More than 42 million unique passwords and e-mail addresses have been uploaded to anonymous hosting service kayo.moe

A huge database containing e-mail addresses, unencrypted passwords and partial credit card numbers, was on a free public hosting.

A total of 41,826,763 unique passwords and e-mail addresses were uploaded to the anonymous hosting service kayo.moe (755 files with a size of 1.8 GB). The service operator sent a database to security researcher Troy Hunt. Judging by the data format, Hunt suggested that they were prepared for use in an attack known as credential stuffing.

More than 91% of the leaked information already exists in the Honey-managed service Have I Been Pwned, which allows users to find out if their accounts were hacked. It is impossible to determine the source of the leak by file names, since they were obfuscated, probably in the process of uploading to kayo.moe.

Credential stuffing is a kind of cyber attack such as bruteforce. It differs from the latter in that the enumeration of options is carried out not by dictionary or lists of frequently used logins and passwords, but by a previously acquired database of stolen data.

Leave a Reply