Large webshops and Marktplaats do not see a recent increase in account abuse due to the simple availability of databases with passwords on the internet. A user put a password search engine online on Friday.
Last week a site warned its users about suspicious login attempts. The perpetrator most likely used databases with log-in data that had been circulating on the Internet for years. Such databases have been reconstructed on the basis of large data leaks in online services. The databases were easy to find and not only on darknets, but also via Reddit and GitHub. A security researcher collected a file with more than 1.65 billion e-mail addresses and passwords, to be used to simulate login attempts. If that was successful, the account was locked and the user notified.
On Friday, the AD was also alerted to the existence of such a database, with the reporter informing him that he would put a search engine online so that the you could easily check whether their account data are lying around on the internet. The last few months there seems to be more attention for the existence of the databases and security researcher has seen more attempts to abuse this since the beginning of this year. However, this seems to be a coincidence.
“We do not see an upward trend”, says Jan-Willem in Gussinklo, spokesperson for Marktplaats. “We sometimes see peaks in phishing campaigns, maybe other people are now being tempted to try something if it gets easier with a search engine, and on the other hand, we’re happy with the attention that’s there, so people are aware of having a good password policy. ”
Bol.com also sees no recent noticeable increase in the number of attempts to abuse via leaked data. “We keep a close eye on reports about the release of account data through other organizations,” says the spokesperson, who adds that Bol.com blocks preventative security in case of doubts about security. Coolblue also shows that there has been no increase in the number of abuse attempts.
For security researcher Rickey Gevers, this does not come as a surprise: “This has been going on for years.” Perhaps security researcher, because it is relatively small and local, is only now . ” For those who have databases with the account data once, making a search function is trivial. Search services can already be found on the internet, in addition to the well-known services that do not release the passwords, such as Have I Been Pwned. The user who, in the name of D0gberry, told the AD to put such a search service online, said in the first instance to abandon that plan. “I did not realize that a million officials, politicians, and other people in responsible positions use their work mail for Linkedin, Dropbox etc. They might use the same password for their home WiFi!”, he stated.  On Friday, the site finally came online, although at the time of writing it shows that it is too busy when a search is carried out. Previously, the site was not accessible at all and a Cloudflare page was shown that the host was offline. If it is still possible to do a search on the basis of an e-mail address or a domain, the page only shows a part of the e-mail address and the first two characters of the password. It is unclear why the site has now been made available, despite the previous objections.
Tips to prevent abuse of accounts with strong passwords and password managers are on Password Awareness.