Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

That 773M Password 'Megabreach' is Years Old (krebsonsecurity.com) 29

Security reporter Brian Krebs writes: My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

This discussion has been archived. No new comments can be posted.

That 773M Password 'Megabreach' is Years Old

Comments Filter:
  • Have a unique password for each and every site you visit, and then also change them often to the point where they aren't memorable and you end up using 'forgot password'. To get around that, use a password manager, and have everything linked to a single point of failure!
    • Remember to also have very strong passwords for all those sites that make you sign up just to download some trial software or to read an article! I am terrified that someone might guess my '1234' password to that site I visited 5 years ago (and will probably never visit again) and gave them a bogus email address (sorry bob@nowhere.com if you are getting lots of spam) because they could log on as me and steal....er, well nothing. Never mind.
    • by raymorris ( 2726007 ) on Friday January 18, 2019 @11:07AM (#57981916) Journal

      The current official guidelines, and what I've been saying for a long time, is don't change most passwords regularly. Exactly because you need to remember them.

      We can conveniently separate passwords into low-impact (Slashdot) and high-impact (banking and email). Frankly, my Slashdot password doesn't need to be super secure. It can even be the same as my Discus password.

      We want high-risk sites to have long passwords, and while we need to remember the password, there is some advantage to occasionally updating it. A way to achieve both is to *add* a couple characters every year or so. Maybe in 2005, a passphrase of "yummY pickle leaf$" was good enough. In 2006, I'd make it "yummY pickle leaf$ cake" or "yummY red pickle leaf$". I've changed it, but I'm leveraging my existing memory of it.

      For low-risk sites, one can have a shared base passphrase and add an extension. So:

      Slashdot: BarBoltCamSL
      Reddit: BarBoltCamRE
      Discus: BarBoltCamDi

      That's not super secure, but I don't need my Slashdot posts to be super secure.

      • by antdude ( 79039 )

        /me logs into Ray's accounts. ;)

      • You don't want to remember your passwords, and you don't want short similar passwords. Instead, auto-generate different long random strings for each site, and use KeePass or similar to store them with one high security master password.

        As a bonus, use different email addresses which point back to the site, so you can easily change them when they get hacked. E.g. slashdot2019@baz.com or baz+slashdot19@gmail.com.

        • KeePass is a good choice. "Or similar" leads to many bad options unless you're very, very careful.

          I'd still keep my banking and email password only in my head. Email is important because it can be used to reset all of your other passwords.

          Length of passphrase is more important than including punctuation or even randomish-case. Certainly adding a digit on the end and a punctuation mark doesn't help much, because everybody does "Whatever1!".

          • Speaking of other password managers, a few months ago Corporate Security at the company I worked for chose an official password manager for employees to use. The problem is, we're a security company, full of people who look for security flaws for a living, I've been told that choosing one was rough because people kept pointing out known flaws in each option. It couldn't have been nearly as bad as after they announced the choice, though. We ripped into it. Employees all over the company not only demonstrate

  • Title says 773M password breach.

    TFS says 773M email addresses and 21M passwords.

    Is it even possible for our editors to make TFS and title consistent, never mind TFS and TFA?

    For that matter, why is the link for TFA to a /. post from yesterday, and not consistent with that /. post, much less itself?

    • No TFS says 21M "unique" passwords. It's perfectly consistent when you realise a large portion of them are "12345678"

  • But you knew this already - you've surely received several "Hi, I'm a hacker, I installed a trojan on your router" spam crap, you've identified (by the password) the crappy website it was stolen from, maybe even changed it, then you checked the mail headers, saw that it came from a PC from India or Saudi Arabia and went on with your daily life.

    After all, you're a "hacker" on Slashdot.

  • That 773M Password 'Megabreach' is Years Old

    OMG -- my password is "Years Old" -- they finally GOT me!

    Now they can change my free Pandora account to listen to whatever stations they want (albeit with commercials) and I can't stop them. Whatever shall I do?

  • ....not only is it years old, but the "is my password hacked" check is astonishingly stupid?

    So...if I'm worried that my pw might have gotten into the wild, I should "check it" by entering it into a nonsecure form on some dodgy unattributed site? Really?

    Should I also send them my bank access info so they can make sure that wasn't hacked as well?

    • by Anonymous Coward

      If you read about it, your password isn't sent. It requests all matching hashes with the same prefix as your password(which your browser hashes), then the browser checks for any matches in the returned data set.

      k-Anonymity.

      The only risk I see is that you accidentally enter your password into a fake version of the website that doesn't do that. For that, there is an API you can use directly.

    • by ceoyoyo ( 59147 )

      https://haveibeenpwned.com/ [haveibeenpwned.com] asks for your e-mail address and then tells you if it's included in any known e-mail / password pair dumps. Entertainingly, it also tells you which dumps, and, if it's known, which organizations they came from.

      They could be harvesting e-mail addresses I suppose, but I pretty much assume that ship sailed a long time ago.

      Maybe you were entering your credentials into the wrong shady website?

Garbage In -- Gospel Out.

Working...