It’s getting easier for hackers to obtain user credentials in bulk.

A security company has discovered a download containing 1.4 billion records offered for sale on the dark web, the largest aggregate database found in the dark web to date.

4iq Inc. made the discovery, detailing on Medium Friday that it found the file for sale in “an underground community forum” and that the database included unencrypted passwords for the 1.4 billion accounts listed within it. The dark web is a shady part of the internet that requires special software to access.

The user credentials themselves are said to include data mostly from 252 previous breaches including credentials from existing services such as Anti Public and Exploit.in and decrypted passwords from previously disclosed hacks such as that of LinkedIn. An estimated 14 percent of the records found in the database is believed to be fresh data — that is, username/password pairs had not previously been decrypted by the hacking community.

Although the 1.4 billion records is an impressive figure by itself, the way the credentials are stored within the download is said to be the more disturbing part of the discovery. “This is not just a list,” 4iq’s Julio Casal wrote. “It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”

4iq is continuing to analyze the data, but it has already found that some things never change when it comes to hacked data: People use stupid, unsafe passwords. Of the 1.4 billion records, the most common password used was 123456, with 9.2 million entries, followed by 123456789 in second place with 3.1 million instances found. Qwerty, “password,” 111111, 12345678 and abc123 were the remaining passwords to have recorded over 1 million instances in the database.

The implication is that individual users are bad at setting strong passwords. Yet some of the blame lies with large business failing to prevent customers and employees from using such passwords to begin with. In August, a report from Dashlane Inc. found that 46 percent of consumer sites and 36 percent of enterprise sites failed to implement even the most basic password security requirements.

Photo: Pxhere