Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Technology

Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com) 116

An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

This discussion has been archived. No new comments can be posted.

Hackers Are Passing Around a Megaleak of 2.2 Billion Records

Comments Filter:
  • Comment removed based on user account deletion
    • Security is like politics. Like politicians, passwords should be audited from time to time to see if they're still as good as you thought they are, and you should change them frequently. Additionally, occasionally one should take a step back and check whether the system you put into place is still up to the requirements of a changing world.

    • Re:Popcorn (Score:4, Interesting)

      by UnknownSoldier ( 67820 ) on Thursday January 31, 2019 @12:23PM (#58051038)

      Security is seen as an inconvenience / hassle by the majority so, sadly, it gets ignored, until they get p0wned. :-/

      I've posted about Inconsistent password policies for length, characters and expiry dates back in 2012 [slashdot.org]

      Duration depends on context. Some people need passwords that expire every second (thus the proliferation of authenticators), some every day, some every week, some every month, some every few months. I don't believe there is a "one size fits all policy."

      Having a RFC to standardize length, characters and expiry dates would be a good first step.

      Right now having no standard has been a complete clusterfuck as every week it seems like someone is reporting a "data breach."

      • Re:Popcorn (Score:4, Insightful)

        by kaatochacha ( 651922 ) on Thursday January 31, 2019 @02:00PM (#58051482)

        Having a RFC to standardize length, characters and expiry dates would be a good first step

        Oh my god a million times this. I was just talking with someone this morning about how they create a password that can be variable for various sites, etc but still complicated. But then you hit that site/authentication that won't take caps, or only takes some special characters, and it completely breaks down.

        • Yup, the fact that we STILL don't have an RFC in 2019 is pretty appalling. :-/

          Another tragedy:

          I forgot which (web)site I was on but it restricted my password to a maximum of 8 characters.

          WTF!? So I can't even _use_ a more cryptographically secure passphrase because of your bone-headed decisions??? What are you guys doing, sending the plain-text password over the internet??

          *facepalm*

          Maybe we need to start Naming & Shaming these companies for their idiotic security policies. That no CAPS policy is pre

          • by Bert64 ( 520050 )

            What are you guys doing, sending the plain-text password over the internet??

            Quite possibly, and having a consistent password policy isn't going to help...
            Once you set a password, you have absolutely no idea how its stored and used - do they keep it in plain text? do they transmit it in plain text to other places? If they arent storing it in plain text, how robust is the storage system? How secure are the hosts on which the password is stored?

            You have absolutely no idea, and many of the breached passwords are relatively strong non dictionary words which suggests wherever they were c

      • > Having a RFC to standardize length, characters and expiry dates would be a good first step.

        It's easier than this. First step is to convince people to use a unique password for each site. Once folks start doing this, they won't be susceptible to the low hanging fruit kidhacks are using today to gain access to their online accounts.

        Ultimately, once hardware tokens are more widely adopted, these kinds of attacks will stop and likely move to another vector, like cookie session stealing through malware fo

    • Re:Popcorn (Score:4, Funny)

      by Cajun Hell ( 725246 ) on Thursday January 31, 2019 @12:34PM (#58051084) Homepage Journal
      Passwords should be chosen to make sure that they do not harm any unborn children, because THEY ARE PEOPLE. Passwords must not be allowed to infringe our right to bear arms. Passwords should not pick winners and losers. Passwords should be selected with the understanding that America was founded as a Christian nation. Passwords should not be used as an excuse to make election day a national holiday, nor should passwords enable black or poor people to vote. Do not use a password's youth and inexperience against it. American taxpayers say they won't pay for a longer password, so guess what, the password just got five billion American taxpayer dollars longer. Passwords understand the importance of bondage between a mother and child. Passwords put food on American families. Passwords took the initiative in creating the internet.
    • i got the salt and butter for the popcorn.
  • Any white hats create a DB lookup tool to allow people to check if their account was compromised?

    • Re:DB lookup? (Score:5, Informative)

      by bandwannabe ( 160057 ) on Thursday January 31, 2019 @10:15AM (#58050486) Homepage

      Assuming you're not having a laugh. Troy Hunt does this.

      https://haveibeenpwned.com/ [haveibeenpwned.com]

      • by Anonymous Coward

        FYI - and this isn't a criticism since the service is free - but that site is missing breaches despite the ridiculous numbers touted.

        Yeah, security is that bad. If you've used the Internet at all, you've been pwned.

      • it'd be nice to search on domain.. I gotta someone get the original db to check everyone at work.
        • You can search on domain, as long as you can demonstrate some sort of ownership of the domain (receive email at a certain address, add a file or meta tag to root website, add a TXT record to DNS)
      • Interesting, quite a list of mail addresses for a private domain. It's worth doing the domain verification to see what's leaked, then you can go round those services and update your unique email address with them and then /dev/null the rest. This is one of those happy moments where setting up a private mail server comes in handy, despite what others may think, I find it has been worth the time to setup.

    • I'm sure there are others, but here's one:
      https://haveibeenpwned.com/ [haveibeenpwned.com]

    • It think the shorter list will be who's info was not compromised. Looking at the https://www.census.gov/popcloc... [census.gov], the current US population is approx 328 million, with 7.5 billion in the world. The number of unique entries in this dump is north of 2.3 billion. It is possible that 1 in 3 people in the world have had there info compromised. I know this is a very simplistic way of looking at it, but nonetheless a very sobering reminder of the current state of security with-in the companies that hold our pers

      • by Kokuyo ( 549451 )

        Simplistic indeed. There is surely going to be quite some overlap from people who had accounts with several or all of the breached entities.

        Even so, if it's only 200 million individual people, it's still an immense number...

      • 1 in 3? Try north of 95% of people who actually use internet and make log in accounts all over the place. If you use internet, you have been pwned, or at least one of the sites you have ever used has been pwned at least once which amounts to the same thing.
        • . If you use internet, you have been pwned, or at least one of the sites you have ever used has been pwned at least once which amounts to the same thing.

          Umm, no. Having someone steal my /. userid & password wouldn't bother me in the slightest. It's one of many userid/password combos I don't care enough about to even bother changing it at random intervals....

          My online banking info is a whole 'nuther game, of course.

          Face it, there are a LOT of userid/password combos on the interwebs that don't amount

  • sounds cool? (Score:2, Interesting)

    by Anonymous Coward

    why can someone not just steal your mobile phone number?
    -
    all these username and password breaches sound like a conspiracy to strip user of their last bit of anonymity.
    by forcing users to two-factor authentication, with ephasize on relying on the mobile phone network, users lose their
    last vestiges of anonymity.
    why? because registering a mobile phone number as two-factor authentication with a username and password ties this account uniquely to you. obviously mobile phones are tracked and most phone numbers ge

    • Two-factor authentication does not require a mobile phone. And in fact, the services that text you are not nearly as secure as the ones that rely on hardware or software tokens.

  • A non story (Score:5, Informative)

    by DarkOx ( 621550 ) on Thursday January 31, 2019 @10:27AM (#58050540) Journal

    I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness. Most places have forced password changes.

    The level of reuse password at $COMPANY) is the same as user@$COMPANY.com on linkedIn is pretty much gone. Most shops have turned up complexity since then as well. So even doing statistics by industry/region/application type/ etc and picking the most frequently used passwords for brute force attacks isn't paying off nearly so often.

    That isn't to say the word lists don't work frequently. Its not say they don't get you a cracked hash or two when you can get hold of an apps password database or some NTDS.dit files. They do but its not getting you accounts that are highly privileged any more; at least not much better than even older stuff like rockyou right there in kali does. You bob in stock rooms account this way. You get busted right away using that account by the SEIM as well because Bob only logs in once a week normal to read e-mail, the moment you touch another system with his account flags go up..

    • by gweihir ( 88907 )

      Well, I know some people at the HPI. I guess the leadership there sees a chance to get publicity and hence they are hyping this all out of proportion.

      • by DarkOx ( 621550 )

        Well that is hardly a problem unique to HPI..

        I guess the point i was making to clarify is that we are at the point now where the data is really just a long list of not uncommonly used mostly terrible passwords. At someone a long list list of those just becomes more entries of the same thing or predictable various for which if you used some rules you would generate anyway.

        People will never stop using bad passwords so you are also going to some hits if you try enough of them or try a few of them over a large

    • by Anonymous Coward

      I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness.

      Mine would work, since I've been using the same password for 25 years. If it needs to be "strong" then I'll just add '123456' to the end so it should still be pretty easy to guess.

      Enjoy my marthastewart.com account.

    • Scammers have been using it, sending emails that start with, "I know your password, here it is." That builds trust, then they continue with something like, "I know what you were looking at and I will send it to your family if you don't pay me."

      So there can be other ways to use this besides just hacking the accounts directly.
      • If someone sent me a creepy email showing me they knew my password, that would build the opposite of trust...

        • You would trust that they knew things about you, more than a random spammer.
        • It's blackmail, not trust. They make a fake threat saying they'll expose your porn habits and nudes they hacked from your webcam unless you pay them by Bitcoin; in reality nothing happens in the end beyond that threatening email with your password in the subject or message. https://www.businessinsider.co... [businessinsider.com] there's a screenshot on this article if you want to see for yourself.

    • by nagora ( 177841 )

      Repeal the 17th Amendment TODAY!

      Why's that, then?

      • by DarkOx ( 621550 )

        Let state legislatures appoint them as was originally done obviously.

        We already have the House to directly represent the people. The senate should be there to represent interests of the states.

  • Seriously, this is all old stuff, people have been notified and many accounts are not even active. Anybody that uses minimal sane security (i.e. good passwords and no reuse, just use a password-manager) are not at risk at all. Others would be at risk even without this.

  • Make every single website you visit have a unique password.
    Then also change those passwords often.
    Do this to the point where you can't even remember the password and have to use 'reset password' anyway.

    Alternatively, use a password manager and make everything depend on a single point of failure
    • Make every single website you visit have a unique password.

      Then also change those passwords often.

      Do this to the point where you can't even remember the password and have to use 'reset password' anyway.

      Alternatively, use a password manager and make everything depend on a single point of failure

      Are there any password managers that nag you (after some period of time) to change your password on a certain site? Because that would be helpful.

      • by Ksevio ( 865461 )
        Lastpass has a report you can generate that tells you to replace old passwords. It nags you to run it now and then
    • by raymorris ( 2726007 ) on Thursday January 31, 2019 @11:03AM (#58050702) Journal

      The government doesn't treat of of their 20 billion documents as if they are Too Secret, because that would be totally unworkable. There aren't nearly enough basement servers and Reddit-using community college sysadmins to handle all of that data.

      Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account? Your 401k account with $350,000 in it needs to be secure. Your password for commenting on Fox News articles doesn't require the same security.

      I have basically three passwords (really three patterns for passwords):

      Sites I really don't care about. Post on a Fox News comment with my handle; I don't care. These all get almost the same trash password. I'm tempted to post that password here just to demonstrate how much it doesn't matter. This is most sites, which I'll only ever log into once or twice.

      Sites I don't want you to have my password for, but it wouldn't do MAJOR damage.

      Banking and email. Email is important because it can be used for password resets on other sites.

      Based on 20 years in security, including over 10 years analyzing login data from people trying to log in with someone else's account, I think I'm reasonably secure. And I really only remember three password bases. Yeah an old version of my trash password is in the leaks. So what.

      The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.

      • Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account?

        A government doesn't protect every document because 1) it's infeasible, 2) there is public interest in not doing so, and 3) if they lose a document, there may be consequences, but they are not all focused on one individual.

        A person should protect every account because 1) it's feasible, 2) there is no legitimate public interest in not doing so, and 3) you suffer all the consequences of a breach personally.

        If you don't want to remember all those miscellaneous passwords, just don't, and recover them every time

        • by Bert64 ( 520050 )

          If you're relying on the recovery process, then people will just attack that...
          Typical recovery questions are weak, and based on information that can often be discovered.

          • If you're relying on the recovery process, then people will just attack that...
            Typical recovery questions are weak, and based on information that can often be discovered.

            Yeah, that's a real problem. I had to use more password-type strings for my bank's secret questions as a result, since all their questions were things that someone could reasonably guess. So lame, so lame. So I wrote them down and keep them in the safe...

      • The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.

        Nice idea.

      • by ljw1004 ( 764174 )

        I have basically three passwords (really three patterns for passwords):

        Sites I really don't care about. Post on a Fox News comment with my handle; [snip]

        Compared to just using LastPass or similar, I think your approach sounds more complicated, more time-consuming and less secure.

    • by pjt33 ( 739471 )

      What do you mean, "Alternatively"? It sounds like your first approach just uses your e-mail account as the password manager and single point of failure.

  • by Anonymous Coward on Thursday January 31, 2019 @10:30AM (#58050570)

    I wonder if these are the same hackers who installed a malware on my favorite 18+ videos site that made my browser start a remote control desktop and keylogger and allowed them to take control of my cam. (I didn't even know I had a cam!!) And they got my contacts and made a video of what I was watching and what I was doing when I was watching the 18+ videos, and they're going to send it to all my contacts unless I pay a bitcoin.

  • This is half smart-ass and half not. But, I have about 5 old accounts on Yahoo and others that I'd like to get access too. Maybe I should get a copy of the database to see if I could recover my passwords?
  • > ...like Dropbox and LinkedIn...

    Why doesn't the article or the .de site list which breaches are included?

  • by OneHundredAndTen ( 1523865 ) on Thursday January 31, 2019 @11:00AM (#58050694)
    This is why companies don't take security seriously: huge leaks like those, and for both Dropbox and Linkedin it is pretty business as usual. In essence, no really serious backlash on them, no responsibilities to honor. It's cheaper for them to do nothing and absorb the cost of such breaches rather investing in the security that would make them far less likely to happen. As long as the lack of decent security does not affect companies' shareholders bottom lines in really noticeable ways, companies will carry on doing very, very little in this respect, other than paying lip service to security, in order to maintain a credible public facade.
  • by fluffernutter ( 1411889 ) on Thursday January 31, 2019 @11:09AM (#58050730)
    IMHO... Anyone who makes their files internet accessible form a giant service deserves what they get. It's not a safe thing to do.
  • Breach (Score:5, Interesting)

    by ledow ( 319597 ) on Thursday January 31, 2019 @11:24AM (#58050808) Homepage

    Except...

    Most of them are old news.
    Most of them are tiny little independent website that suffered breaches because of things like Wordpress plugins years out of date, etc.
    Most of them are Russian, Korean and other such websites.
    The "big" websites in there, their data is basically just culled from the big breaches that we already know about.
    Everything else is just random spam and junk.
    Quite of lot of it is probably so outdated and useless that it's of no use whatsoever any more.

    I ran HaveIBeenPwned over my domains (including work) about it. Given that we see a regular staff flux, and staff sign up to all kinds of outside services on their work accounts, something would show. And my personal domains have been in the wild for years and I use individual usernames@mydomain.com as burner accounts for things I *know* are dodgy and are gonna get spammed / hacked.

    I got literally 80-90% nonsense (i.e. that email literally has NEVER existed, just made up nonsense, off-by-ones, truncated or padded versions of other usernames on the list, etc.). The rest was just things like known forum-leaks where your username and password for Joe Blogg's Cake Emporium got onto the net. The same was true of all my domains - thousands of users, many of them have left and left their accounts active on defunct sites, decades of history, all kinds of external services plugged into on a regular basis.

    And nothing that even hinted at a valid username and password combination.

    Some kid copy/pasted every "leak" they found in the wild, in the process hitting upon data not only years out of date but also incorrectly formatted and column-sliced so that a lot of nonsense came out. They shoved it into a folder somewhere and someone found it.

    Just because it has 2 billion entries means nothing. I probably have 100+ accounts, just from my recent stuff online, let alone everything back to the ages of some of those "leaks". And 90% of it is absolute made-up junk.

    That takes it down to 18 million people affected before you even start. 18 million people probably use the password "password" for at least one account that they don't care about.

    It's not a huge leak of ultra-secret information from Microsoft, Google, Facebook, governments, etc. It's a copy-paste of every tiny leak that's already happened, back to decades-old exploits of tiny mom'n'pop websites, collected into one (presumably multi-gigabyte) file.

    There would be more damaging information in even a single multi-gigabyte customer database from any major supermarket. At least it would stand a decent chance of being correctly formatted, up-to-date, containing recent details, and have something "potentially damaging" inside it.

    Talk about overblown.

  • Effects (Score:4, Insightful)

    by duke_cheetah2003 ( 862933 ) on Thursday January 31, 2019 @12:41PM (#58051104) Homepage

    One effect of these seeming continuous reports of data breaches of all sorts of internet companies is the changes to the types of Spam/phishing emails I am receiving.

    It's most disturbing to see your password in the clear, in an email subject, along with an email explaining you've been hacked and blah blah send us bitcoin or we'll do stuff. Whatever.

    Personally I was a bit alarmed by this initially, but also, it was my least important password, the one I use I garbage sites once to download a forum post or similar things.

    But you know, other people who may not be wise enough to not use the same password on different sites, they might take this sort of email entirely differently. As I said, it alarmed me initially. Certainly got me to inspect all my gear for signs of compromise.

    Later in the evening, after finding no evidence of any tampering on any of my stuff, I concluded it must have been a hacked site's data falling into a phishing outfit's hands. It was my least 'secure' password that I throw at sites I don't really plan to use more than once.

    Watch out for these emails, is what i'm saying here. They can really unnerve even a old dinosaur like myself.

  • There are really three possibilities here, either you're not in the list, you ARE in the list and you know it, or you ARE in the list and you don't know it.

    Since the only "you need to change your password immediately" is only the response for one of those situations, knowing you're in such a list is very important. It lets you know you need to take action.

    It's actually worse if you're in a list like that and you have no way of knowing it, (like if it's only being passed around on darkweb sites) because you

"It's like deja vu all over again." -- Yogi Berra

Working...