Security researcher and privacy advocate Troy Hunt has reported an intriguing incident involving a free, public, and anonymous hosting service. Apparently, a large database containing email addresses, passwords in clear text and partial credit card details has been uploaded to Kayo.moe. To be more precise, the total amount of unique email addresses and passwords in plain text is 41,826,763.
In fact, Kayo.moe got in touch with Hunt and sent him the data (755 files totaling 1.8GB) so that the researcher could check if it was a result of a data breach. However, this is the moment to highlight that the report isn’t about a data breach of kayo.me. “There’s absolutely no indication of any sort of security incident involving a vulnerability of that service”, Hunt said in his article.
Kayo.moe is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they’d noticed a collection of files uploaded to the site which appeared to contain personal data from a breach.
More about the 1.8GB Data Uploaded on kayo.me
Hunt notes that the data is the standard username:password pair used in credential stuffing attacks. Such attacks are designed to harvest data from multiple data breaches and mix it into a single unified list. This allows attackers to use it in account takeover attempts on other services, the researcher explained.
Besides the username:password pair, the data set also contained other details as well. Some files were with logs, some with partial credit card data and some with Spotify details. Please note that:
This doesn’t indicate a Spotify breach, however, as I consistently see pastesimplying a breach yet every time I’ve delved into it, it’s always come back to account takeover via password reused. In short, this data is a combination of sources intended to be used for malicious purposes.
What about the email addresses?
Hunt examined the email addresses and found approximately 42 million unique values. During his analysis, he found out that over 91% of the passwords in the dataset were already on Have I Been Pwned.
Furthermore, according to the researcher, filenames in the collection aren’t tied to a particular source as there is no single pattern for the breaches they appeared in.
What does all of this mean?
In short, this is another one of those awareness incidents, Hunt said, explaining that he made a commitment to HIBP subscribers to let them know when he sees their data. The researcher also thanked kayo.me for the support.