Potsdam. In special Internet forums, security researchers at Hasso Plattner Institute (HPI) have tracked down nearly 35 million pieces of stolen identity data this year. Cyber criminals had published the data in fifteen cases, thus making it available for possible further illegal activities. HPI director Prof. Christoph Meinel stated that anyone can use the Institute’s “Identity Leak Checker” to check if his or her personal identity data has been affected. By entering an e-mail address at sec.hpi.de/ilc, it is possible to find out immediately, after a comparison has been made, whether the address has been disclosed in connection with other personal data (e.g., passwords or bank account numbers) and subject to misuse for malicious purposes.
“In the meantime, we are able to perform such checks against more than 215 million pieces of data collected from so-called leaks,” said Meinel. At the end of 2014 it was 180 million pieces of collected data. The data collected this year comes from 15 sources, such as Ashley Madison, Skype, Twitter, and Minecraft. But also information is provided from leaks from lesser known sources such as Lizard Stresser, Sprashivai or Impact Mailorder.
“This year there have been many big data thefts. In each case more than one million sets of identity data were stolen and subsequently made public,” the Potsdam Internet security researcher reported. Increasingly, so-called dating portals have been attacked, such as Ashley Madison or Adult FriendFinder, where the hacker sees a high blackmail potential.
The free Hasso Plattner Institute Identity Leak Checker has recorded almost 100,000 visitors in the last twelve months. In almost 13,000 cases, visitors were informed per e-mail that their identity data is freely circulating on the Internet. They were also advised about what kind of response is recommended in the specific case. Since the launch of the service in May 2014, to date approximately 1.7 million visitors have made use of the HPI Identity Leak Checker. Up to now, 160,000 warning messages informing visitors about published identity data have been sent.
“The inquiry is always answered, even if nothing is found. It is, however, impossible to give an absolute guarantee that no personal information has been stolen,” said Meinel — not all stolen data is published. The Institute does not reveal the actual data itself for reasons of security. However, it provides the approximate date that the affected information was made public.
Passwords are the most stolen form of identity data
Based on the statistics of HPI security researchers, passwords are by far the most commonly stolen identity data. In 62 million out of 233 million cases they are even found in plaintext. In order of frequency, follow: first and last names (37 million), telephone numbers (32 million), and—with the highest frequency by far—credit card data (10,200).
Based on the collected data, the analysis made by the Potsdam security researchers showed that the most popular password of Internet users worldwide remains a series of numbers or symbols on the keyboard (e.g., qwerty). First names or other phrases from the dictionary are also popular, such as the word “password”. Globally, the undisputed first place unfortunately still holds the series of numbers 123456, although, as Meinel said, such simple passwords are immediately detected by automatic crackers.