Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com) 116
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Re: (Score:1)
Re: (Score:3)
Security is like politics. Like politicians, passwords should be audited from time to time to see if they're still as good as you thought they are, and you should change them frequently. Additionally, occasionally one should take a step back and check whether the system you put into place is still up to the requirements of a changing world.
Re: (Score:2)
Availability is one facet of the information security triad, i.e. confidentiality, integrity and availability. What's your point?
Re: (Score:2)
Put in a safe and drop it in the Mariana trench
What's in the safe? When someone wants to use it, how convenient is it to retrieve for use?
Given enough resources, even that is not secure enough.
Re:Popcorn (Score:4, Interesting)
Security is seen as an inconvenience / hassle by the majority so, sadly, it gets ignored, until they get p0wned. :-/
I've posted about Inconsistent password policies for length, characters and expiry dates back in 2012 [slashdot.org]
Duration depends on context. Some people need passwords that expire every second (thus the proliferation of authenticators), some every day, some every week, some every month, some every few months. I don't believe there is a "one size fits all policy."
Having a RFC to standardize length, characters and expiry dates would be a good first step.
Right now having no standard has been a complete clusterfuck as every week it seems like someone is reporting a "data breach."
Re:Popcorn (Score:4, Insightful)
Having a RFC to standardize length, characters and expiry dates would be a good first step
Oh my god a million times this. I was just talking with someone this morning about how they create a password that can be variable for various sites, etc but still complicated. But then you hit that site/authentication that won't take caps, or only takes some special characters, and it completely breaks down.
Re: (Score:2)
Yup, the fact that we STILL don't have an RFC in 2019 is pretty appalling. :-/
Another tragedy:
I forgot which (web)site I was on but it restricted my password to a maximum of 8 characters.
WTF!? So I can't even _use_ a more cryptographically secure passphrase because of your bone-headed decisions??? What are you guys doing, sending the plain-text password over the internet??
*facepalm*
Maybe we need to start Naming & Shaming these companies for their idiotic security policies. That no CAPS policy is pre
Re: (Score:2)
What are you guys doing, sending the plain-text password over the internet??
Quite possibly, and having a consistent password policy isn't going to help...
Once you set a password, you have absolutely no idea how its stored and used - do they keep it in plain text? do they transmit it in plain text to other places? If they arent storing it in plain text, how robust is the storage system? How secure are the hosts on which the password is stored?
You have absolutely no idea, and many of the breached passwords are relatively strong non dictionary words which suggests wherever they were c
Re: (Score:2)
Wow, 6 characters!?
If that isn't *facepalm* of the century ...
Re: (Score:2)
> Having a RFC to standardize length, characters and expiry dates would be a good first step.
It's easier than this. First step is to convince people to use a unique password for each site. Once folks start doing this, they won't be susceptible to the low hanging fruit kidhacks are using today to gain access to their online accounts.
Ultimately, once hardware tokens are more widely adopted, these kinds of attacks will stop and likely move to another vector, like cookie session stealing through malware fo
Re:Popcorn (Score:4, Funny)
Re: Popcorn (Score:1)
Re: (Score:1)
Re: (Score:2)
Sarcastic reply indicating I didn't even read the thread.
Re: (Score:2)
All of you just made my day.
Re: (Score:2)
I'd rather have my throwaway passwords and account details on fly-by-night websites leaked and exposed by a thousand Russian hackers than my true personal data collected and held secretely and against my will by FANGs.
DB lookup? (Score:2)
Any white hats create a DB lookup tool to allow people to check if their account was compromised?
Re:DB lookup? (Score:5, Informative)
Assuming you're not having a laugh. Troy Hunt does this.
https://haveibeenpwned.com/ [haveibeenpwned.com]
Re: DB lookup? (Score:1)
FYI - and this isn't a criticism since the service is free - but that site is missing breaches despite the ridiculous numbers touted.
Yeah, security is that bad. If you've used the Internet at all, you've been pwned.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
https://haveibeenpwned.com/Pwn... [haveibeenpwned.com] you won't but if you're really unsure about that site's security you can browse the list of sites here, but there's no database around except in the darknet or some other file sharing service.
Re: (Score:2)
Interesting, quite a list of mail addresses for a private domain. It's worth doing the domain verification to see what's leaked, then you can go round those services and update your unique email address with them and then /dev/null the rest. This is one of those happy moments where setting up a private mail server comes in handy, despite what others may think, I find it has been worth the time to setup.
Re: DB lookup? (Score:1)
I'm sure there are others, but here's one:
https://haveibeenpwned.com/ [haveibeenpwned.com]
Re: (Score:2)
It think the shorter list will be who's info was not compromised. Looking at the https://www.census.gov/popcloc... [census.gov], the current US population is approx 328 million, with 7.5 billion in the world. The number of unique entries in this dump is north of 2.3 billion. It is possible that 1 in 3 people in the world have had there info compromised. I know this is a very simplistic way of looking at it, but nonetheless a very sobering reminder of the current state of security with-in the companies that hold our pers
Re: (Score:3)
Simplistic indeed. There is surely going to be quite some overlap from people who had accounts with several or all of the breached entities.
Even so, if it's only 200 million individual people, it's still an immense number...
Re: (Score:2)
Re: (Score:2)
Umm, no. Having someone steal my /. userid & password wouldn't bother me in the slightest. It's one of many userid/password combos I don't care enough about to even bother changing it at random intervals....
My online banking info is a whole 'nuther game, of course.
Face it, there are a LOT of userid/password combos on the interwebs that don't amount
Re: (Score:2)
I just refuse to set up online relationships with financial organisations.
You think this makes you safer, but it makes you LESS safe.
If you have no online account, it is not so hard for someone to create one. I set up my mom's online account, and all I needed was her account number and SSN. I set it up to link to my email address, and used my cellphone to authenticate. Now I can log in and do anything with her account.
sounds cool? (Score:2, Interesting)
why can someone not just steal your mobile phone number?
-
all these username and password breaches sound like a conspiracy to strip user of their last bit of anonymity.
by forcing users to two-factor authentication, with ephasize on relying on the mobile phone network, users lose their
last vestiges of anonymity.
why? because registering a mobile phone number as two-factor authentication with a username and password ties this account uniquely to you. obviously mobile phones are tracked and most phone numbers ge
Re: (Score:2)
Two-factor authentication does not require a mobile phone. And in fact, the services that text you are not nearly as secure as the ones that rely on hardware or software tokens.
A non story (Score:5, Informative)
I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness. Most places have forced password changes.
The level of reuse password at $COMPANY) is the same as user@$COMPANY.com on linkedIn is pretty much gone. Most shops have turned up complexity since then as well. So even doing statistics by industry/region/application type/ etc and picking the most frequently used passwords for brute force attacks isn't paying off nearly so often.
That isn't to say the word lists don't work frequently. Its not say they don't get you a cracked hash or two when you can get hold of an apps password database or some NTDS.dit files. They do but its not getting you accounts that are highly privileged any more; at least not much better than even older stuff like rockyou right there in kali does. You bob in stock rooms account this way. You get busted right away using that account by the SEIM as well because Bob only logs in once a week normal to read e-mail, the moment you touch another system with his account flags go up..
Re: (Score:2)
Well, I know some people at the HPI. I guess the leadership there sees a chance to get publicity and hence they are hyping this all out of proportion.
Re: (Score:2)
Well that is hardly a problem unique to HPI..
I guess the point i was making to clarify is that we are at the point now where the data is really just a long list of not uncommonly used mostly terrible passwords. At someone a long list list of those just becomes more entries of the same thing or predictable various for which if you used some rules you would generate anyway.
People will never stop using bad passwords so you are also going to some hits if you try enough of them or try a few of them over a large
Re: (Score:1)
I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness.
Mine would work, since I've been using the same password for 25 years. If it needs to be "strong" then I'll just add '123456' to the end so it should still be pretty easy to guess.
Enjoy my marthastewart.com account.
Re: (Score:2)
So there can be other ways to use this besides just hacking the accounts directly.
Re: (Score:2)
If someone sent me a creepy email showing me they knew my password, that would build the opposite of trust...
Re: (Score:2)
Re: (Score:2)
It's blackmail, not trust. They make a fake threat saying they'll expose your porn habits and nudes they hacked from your webcam unless you pay them by Bitcoin; in reality nothing happens in the end beyond that threatening email with your password in the subject or message. https://www.businessinsider.co... [businessinsider.com] there's a screenshot on this article if you want to see for yourself.
Re: (Score:2)
Repeal the 17th Amendment TODAY!
Why's that, then?
Re: (Score:2)
Let state legislatures appoint them as was originally done obviously.
We already have the House to directly represent the people. The senate should be there to represent interests of the states.
Re: (Score:2)
Requiring regular password changes usually makes things worse... Passwords should only be changed if their is reason to suspect they have been breached.
Re: (Score:2)
Disagree requiring regular changes does several things:
1) It fights direct password reuse. Which matters because most attackers are going for the lowest hanging fruit. You get e-mail password pairs from one organization or application they will try them directly on the other. Even having changed from P@ssw0rd! to P@ssw0rd!! might very well spare your account.
2) It provides an opportunity to get passwords policy complaint. If you used to only require 8 chars but now require 10, it means you wont have peo
Re: (Score:2)
3) only works on theory, in practice users will often change their passwords predictably and the attacker will simply use the next password in the sequence.
4) or results in the password being written down / stored in an easily visible location.
Most people can memorise a difficult password/passphrase if they have to, however if you make them keep changing it they won't want to memorise a completely different password at arbitrary intervals, so they will either start writing their passwords down or using pred
Who cares (Score:2)
Seriously, this is all old stuff, people have been notified and many accounts are not even active. Anybody that uses minimal sane security (i.e. good passwords and no reuse, just use a password-manager) are not at risk at all. Others would be at risk even without this.
Tips for passwords (Score:1)
Then also change those passwords often.
Do this to the point where you can't even remember the password and have to use 'reset password' anyway.
Alternatively, use a password manager and make everything depend on a single point of failure
Re: (Score:2)
Make every single website you visit have a unique password.
Then also change those passwords often.
Do this to the point where you can't even remember the password and have to use 'reset password' anyway.
Alternatively, use a password manager and make everything depend on a single point of failure
Are there any password managers that nag you (after some period of time) to change your password on a certain site? Because that would be helpful.
Re: (Score:3)
Third option - two or three security levels (Score:5, Informative)
The government doesn't treat of of their 20 billion documents as if they are Too Secret, because that would be totally unworkable. There aren't nearly enough basement servers and Reddit-using community college sysadmins to handle all of that data.
Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account? Your 401k account with $350,000 in it needs to be secure. Your password for commenting on Fox News articles doesn't require the same security.
I have basically three passwords (really three patterns for passwords):
Sites I really don't care about. Post on a Fox News comment with my handle; I don't care. These all get almost the same trash password. I'm tempted to post that password here just to demonstrate how much it doesn't matter. This is most sites, which I'll only ever log into once or twice.
Sites I don't want you to have my password for, but it wouldn't do MAJOR damage.
Banking and email. Email is important because it can be used for password resets on other sites.
Based on 20 years in security, including over 10 years analyzing login data from people trying to log in with someone else's account, I think I'm reasonably secure. And I really only remember three password bases. Yeah an old version of my trash password is in the leaks. So what.
The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.
Re: (Score:2)
Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account?
A government doesn't protect every document because 1) it's infeasible, 2) there is public interest in not doing so, and 3) if they lose a document, there may be consequences, but they are not all focused on one individual.
A person should protect every account because 1) it's feasible, 2) there is no legitimate public interest in not doing so, and 3) you suffer all the consequences of a breach personally.
If you don't want to remember all those miscellaneous passwords, just don't, and recover them every time
Re: (Score:2)
If you're relying on the recovery process, then people will just attack that...
Typical recovery questions are weak, and based on information that can often be discovered.
Re: (Score:2)
If you're relying on the recovery process, then people will just attack that...
Typical recovery questions are weak, and based on information that can often be discovered.
Yeah, that's a real problem. I had to use more password-type strings for my bank's secret questions as a result, since all their questions were things that someone could reasonably guess. So lame, so lame. So I wrote them down and keep them in the safe...
Re: (Score:2)
The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.
Nice idea.
Wow I really shouldn't post while running late (Score:2)
I was writing / editing that post super quickly because it was time for Scrum.
I murdered the English language.
Re: (Score:1)
Another example of the horrors that arise from agile programming.
Re: (Score:2)
I have basically three passwords (really three patterns for passwords):
Sites I really don't care about. Post on a Fox News comment with my handle; [snip]
Compared to just using LastPass or similar, I think your approach sounds more complicated, more time-consuming and less secure.
Re: (Score:3)
What do you mean, "Alternatively"? It sounds like your first approach just uses your e-mail account as the password manager and single point of failure.
I hate hackers! (Score:5, Funny)
I wonder if these are the same hackers who installed a malware on my favorite 18+ videos site that made my browser start a remote control desktop and keylogger and allowed them to take control of my cam. (I didn't even know I had a cam!!) And they got my contacts and made a video of what I was watching and what I was doing when I was watching the 18+ videos, and they're going to send it to all my contacts unless I pay a bitcoin.
Re: (Score:1)
Ah, so that was YOU that I got the video of...so many to sort through, it's tough to know which are which.
Password Recovery (Score:2)
Which companies' breaches are included? (Score:2)
> ...like Dropbox and LinkedIn...
Why doesn't the article or the .de site list which breaches are included?
Security never taken seriously (Score:3)
IMHO (Score:3)
Breach (Score:5, Interesting)
Except...
Most of them are old news.
Most of them are tiny little independent website that suffered breaches because of things like Wordpress plugins years out of date, etc.
Most of them are Russian, Korean and other such websites.
The "big" websites in there, their data is basically just culled from the big breaches that we already know about.
Everything else is just random spam and junk.
Quite of lot of it is probably so outdated and useless that it's of no use whatsoever any more.
I ran HaveIBeenPwned over my domains (including work) about it. Given that we see a regular staff flux, and staff sign up to all kinds of outside services on their work accounts, something would show. And my personal domains have been in the wild for years and I use individual usernames@mydomain.com as burner accounts for things I *know* are dodgy and are gonna get spammed / hacked.
I got literally 80-90% nonsense (i.e. that email literally has NEVER existed, just made up nonsense, off-by-ones, truncated or padded versions of other usernames on the list, etc.). The rest was just things like known forum-leaks where your username and password for Joe Blogg's Cake Emporium got onto the net. The same was true of all my domains - thousands of users, many of them have left and left their accounts active on defunct sites, decades of history, all kinds of external services plugged into on a regular basis.
And nothing that even hinted at a valid username and password combination.
Some kid copy/pasted every "leak" they found in the wild, in the process hitting upon data not only years out of date but also incorrectly formatted and column-sliced so that a lot of nonsense came out. They shoved it into a folder somewhere and someone found it.
Just because it has 2 billion entries means nothing. I probably have 100+ accounts, just from my recent stuff online, let alone everything back to the ages of some of those "leaks". And 90% of it is absolute made-up junk.
That takes it down to 18 million people affected before you even start. 18 million people probably use the password "password" for at least one account that they don't care about.
It's not a huge leak of ultra-secret information from Microsoft, Google, Facebook, governments, etc. It's a copy-paste of every tiny leak that's already happened, back to decades-old exploits of tiny mom'n'pop websites, collected into one (presumably multi-gigabyte) file.
There would be more damaging information in even a single multi-gigabyte customer database from any major supermarket. At least it would stand a decent chance of being correctly formatted, up-to-date, containing recent details, and have something "potentially damaging" inside it.
Talk about overblown.
Effects (Score:4, Insightful)
One effect of these seeming continuous reports of data breaches of all sorts of internet companies is the changes to the types of Spam/phishing emails I am receiving.
It's most disturbing to see your password in the clear, in an email subject, along with an email explaining you've been hacked and blah blah send us bitcoin or we'll do stuff. Whatever.
Personally I was a bit alarmed by this initially, but also, it was my least important password, the one I use I garbage sites once to download a forum post or similar things.
But you know, other people who may not be wise enough to not use the same password on different sites, they might take this sort of email entirely differently. As I said, it alarmed me initially. Certainly got me to inspect all my gear for signs of compromise.
Later in the evening, after finding no evidence of any tampering on any of my stuff, I concluded it must have been a hacked site's data falling into a phishing outfit's hands. It was my least 'secure' password that I throw at sites I don't really plan to use more than once.
Watch out for these emails, is what i'm saying here. They can really unnerve even a old dinosaur like myself.
you DO realize this is a good thing, right? (Score:2)
There are really three possibilities here, either you're not in the list, you ARE in the list and you know it, or you ARE in the list and you don't know it.
Since the only "you need to change your password immediately" is only the response for one of those situations, knowing you're in such a list is very important. It lets you know you need to take action.
It's actually worse if you're in a list like that and you have no way of knowing it, (like if it's only being passed around on darkweb sites) because you
Re: (Score:1)
Google this, OK:
how many ad blockers for how many web browsers and smartphones