Passwords of some 3.3 million Dutch on online search engine

A large number of emails and some 3.3 million passwords of Dutch people can be found easily online through a special search engine, newspaper AD discovered on Friday. The emails and passwords of employees of manly large Dutch organizations, companies and government institutions are found on this search engines, including of organizations that fulfill a vital function, the newspaper writes. 

The database AD investigated contains a total of 1.4 billion email addresses and passwords from all over the world. Online search engines are now also available to make this data more accessible. The passwords and email addresses likely come from large data leaks over the past years, like from LinkedIn, Dropbox, Playstation, Uber and eBay, among others. 

Organizations usually let their customers know about hacks, so that they can change their passwords. But these password databases are still dangerous, because people tend to reuse passwords. "People are registered on so many websites that they often have no idea how many, often with the same password", Herbert Bos, professor of Systems and Network Security at the VU university in Amsterdam, said to the newspaper. "Even if you vary it a bit with numbers in your password, malicious parties can quickly find out about that via automated programs. And if people have your email and password, they have your identity."

The email addresses and passwords of various Dutch parliamentarians and celebrities can be found on the search engine AD looked at. Many people registered themselves on sites using their work email. As a result the database contains numerous emails from the Ministries of Defense and Foreign Affairs, among others. 

Former SP parliamentarian Sharon Gesthuizen is one of the people on the lists, using her Tweede Kamer email. "I was shocked that you had found them. I used that email and password a few years ago, not for the Tweede Kamer [the lower house of Dutch parliament], but to log in to LinkedIn. I've changed that by now", she said to the newspaper. A bit later she added in a message: "A quick check showed that I stull used that old password for Europcar, the Rotterdam film festival and another (important!) service. I'm going to change that quickly now."

Hundreds of email addresses from Defense employees are on the database. The Ministry is aware that in the past employee data was captured in a hack. "We urged our employees to change their passwords and told them that it is not desirable to use defense data such as an email address for commercial accounts, but it is not forbidden", a spokesperson said to the newspaper. The Ministry also reports that "all employees are obliged to periodically change their defense password, which is done by an automated system. The chance that the data hacked at that time can give access to defense system is hereby excluded."

Professor Bos is not so sure about this. "Even if people periodically change their passwords, it is often a variant of the previous password: for example with a 1 behind it. That means knowing a previous password makes it much easier for attackers to guess the rest of the password." 

AD became aware of this search engine for passwords when one of their journalists was contacted by a "worried" hacker, the newspaper writes. The hacker tweeted the journalist three passwords with the question 'do these belong to you?'. They all did. A few seconds later the journalist had the passwords of basically all of AD's editors.