Database with Passwords Found on Public Hosting

An enormous database containing email addresses, unencrypted passwords, and partial credit card numbers was discovered on a free public hosting service. In total, 41,826,763 unique passwords and email addresses were uploaded to the anonymous hosting service kayo.moe (755 files totaling 1.8 GB). The operator of the service sent the database to security researcher Troy Hunt.

Based on the data format, Hunt suggested that the information was prepared for use in an attack known as credential stuffing. More than 91% of the leaked information was already present in Hunt’s service, Have I Been Pwned, which allows users to check if their accounts have been compromised. It is impossible to determine the source of the leak by the file names, as they were obfuscated, likely during the upload to kayo.moe.

What is Credential Stuffing?

Credential stuffing is a type of cyberattack similar to brute force attacks. However, instead of guessing passwords using a dictionary or lists of commonly used logins and passwords, attackers use a pre-acquired database of stolen credentials.