Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to use

Pierluigi Paganini September 14, 2018

Operator at kayo.moe found a 42M Record  Credential Stuffing Data containing email addresses, plain text passwords, and partial credit card info.

A huge archive containing email addresses, plain text passwords, and partial credit card data has been found on a free anonymous hosting service, Kayo.moe.

The operator of the service shared the file with the popular expert Troy Hunt who operates the Have I Been Pwned data breach notification service asking him to check the source of the huge trove of data.

The data is not related to a data breach of kayo.moe, the platform was not impacted by any incident.

The database shared by Kayo includes over a total of 755 files totaling 1.8GB.

According to Hunt, the data in the archive were collected for credential stuffing attacks, typically hackers obtain data from multiple breaches then combine them into a single unified list.

The attackers were likely planning to run them automatically against multiple online services and compromise user accounts.

Roughly 89% of the records in a sample set analyzed by Hunt were already in the HIBP archive, this means that the archive anyway contains a huge quantity of data that were not present.

“When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I’ve never seen before. (Later, after loading the entire data set, that figure went up to 93%.),” Hunt wrote a blog post.

“There was no single pattern for the breaches they appeared in and the only noteworthy thing that stood out was a high hit rate against numeric email address aliases from Facebook also seen in the (most likely fabricated) Badoo incident. Inverting that number and pro-rata’ing to the entire data set, I’d never seen more than 4M of the addresses. So I loaded the data.”

Credential Stuffing Data


“The data also contained a variety of other files; some with logs, some with partial credit card data and some with Spotify details.” added Hunt. “This doesn’t indicate a Spotify breach, however, as I consistently see pastes implying a breach yet every time I’ve delved into it, it’s always come back to account takeover via password reused.”

To avoid being vulnerable to credential stuffing attacks the best defense is to use different credentials for each web service we use. Don’t reuse passwords!

Always use a two-factor authentication mechanism when implemented by the service we access to, and use strong password that can be generated by password manager applications.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – credential stuffing attacks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment