This past week has witnessed the release (i.e., black market sale) of two massive password files from social media website breaches, and there is an outstanding question posed by the timing and use of this data. Why now? 


  • The files from Tumblr and MySpace contain just under a half billion user credentials in total (65M and 427M, respectively)
  • While the bulk are from the social media granddaddy that is MySpace, both files are old (3 years for Tumblr and 4 years for MySpace)
  • The credentials from the Tumblr breach do not seem to have been misused prior to their release (some would argue that it could be a function of the salting and hashing, but at least some would have been cracked by now)
  • Both files are being offered for sale on the Dark Web by the same person (who also offered the LinkedIn and Adobe data sets for sale)

What is clear is that the value of these credentials to fraudsters will inexorably decline thanks to the growing prevalence of stronger authentication, especially biometrics.  For years (decades) fraudsters could rely on the fact that consumers typically reused passwords - meaning the password a consumer uses for Facebook or LinkedIn is probably the same one used to access online banking.  The advent of mobile devices, including smartphones and tablets, has created a mechanism to more easily and inexpensively implement biometric authentication, and effective solutions have not only hit the market, but FIs are proving very receptive (nearly half of the top FIs in the US support fingerprint scanning for mobile banking, according to Javelin's 2016 Mobile Banking FI Scorecard).  

The public release of personal information is certainly a bad thing in absolute terms, but this recent activity may be an indication that even the bad guys recognize that the era of the password is coming to a close (so they should sell any remaining inventory before it is too late).  

The end of passwords?  That is certainly a good thing.


About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Senior VP of Research and Head of Fraud & Security. As SVP of Research, he oversees the firm’s operations and ensures that Javelin’s research content provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to media outlets such as American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!