Authlogics Password Breach Database
The Authlogics Password Breach Database is a large compilation of over 2 billion credentials which have been breached, this includes 1 billion unique clear text passwords. The database is hosted in the Cloud to allow for near real-time lookups and intensive data analytics. This database powers the following services offerings:
Are your details one of the 2 billion credentials in our Password Breach Database?
How do passwords get breached?
There are many ways that passwords get breached, however, the most common are direct hacks, phishing and malware. Direct hacks affect many people with accounts at a particular organisation whereas Phishing and Malware are more generic attacks that don’t target a specific entity. They are designed to steal the credentials directly from the user when they are entered and do not rely on a database server to compromised.
Phishing attacks are commonly performed when the hacker sends a mass email to people which looks like it is from a legitimate company. The email will contain a link to a website where the user will need to log in, however, the site they are logging into belongs to the hacker and not the company the user thinks they are logging into. Thus, the user unwittingly hands their login details to the hacker. Some of these emails and scams are easy to spot (junk mail, very bad spelling etc), but others can easily be mistaken for the real thing.
Malware involves users logging onto a legitimate website using an infected system. The malware, in its simplest form, acts as a software keylogger and intercepts usernames and passwords as they are entered and sends them to the hacker for collection. Again, the sophistication of the malware will vary greatly and luckily many Anti-Virus products are able to detect them.
Managing the database
The Authlogics Password Breach Database is growing on a daily basis as new leaks are found at an average rate of around 10,000 entries per day. We use various data sources including mainstream news, online forums, torrents, paste bins and other locations on the dark web. Our corporate policy is that we never pay for data. The data is obtained in a variety of formats which often includes a lot of other data which we simply discard, e.g. phone numbers, credit card information, addresses etc. The retained data is then sanitised and analysed for credibility before being added to the database. Where possible, we also record the source of the data for reference.
We only store username and password information. The username is typically an email address, and the password is in clear text. In addition to the clear text, we also store the password in multiple hash formats for quick analysis purposes. We do not attempt to directly “validate” or “test” the data we gather as this could easily be considered hacking.
If you are in possession of password breach data or know that your organisation has been breached, and would like to protect others from falling victim to it please let us know. We will happily work with you to securely transmit the data to us for analysis and give full credit where it is due, or you may remain anonymous if you wish. We have a dedicated email address which doesn’t involve sale/marketing people or subscribe you to mailing lists etc, it is run purely by IT security professionals: firstname.lastname@example.org
Password breach data and GDPR
The data we store in the Authlogics Password Breach Database is sourced from the Public Domain and should be assumed to be already in the hands of bad actors; our retention of the data does not change this risk. Additionally, we only store email addresses and passwords, we do not store any other personally identifiable information. However, even data obtained from the Public Domain still has to comply with GDPR.
The data we store is not provided under “consent” per GDPR, however, we are able to retain the data on a “legitimate interest” basis which does not require explicit consent. At no point do we collect passwords directly from people, with or without their knowledge.
To comply with the legitimate interest requirements three “tests” must be applied:
- Purpose test – is there a legitimate interest behind the processing?
- The collection of data is able to significantly lower the risk of a security breach and adds value to the person(s) relating to the data entry. The dataset as a whole provides legitimate interests of the public in general.
- Necessity test – is the processing necessary for that purpose?
- Without the existence of the data, the risk processing would not be possible.
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
- We use the data purely for statistical analysis purposes which does not infringe on any individual rights. The benefits to legitimate interests of the public significantly outweigh any negative impact to the individual’s interest.
Exclusion from our database
If a person or organisation would like to be excluded from results provided by our database we are able to accommodate this. We will still retain the data for overall analysis purposes however the existence of the data will no longer be visible. This, of course, does not change the fact that the information may well still exist in other sources online which is beyond our control.
To request exclusion please visit our Password Breach Database exclusion request page.