Slashdot Mirror

← Back to Stories (view on slashdot.org)

Collection 1 Data Breach Exposes More Than 772 Million Email Addresses (zdnet.com)

Posted by BeauHD on from the another-day-another-breach dept.

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

11 of 68 comments (clear)

  1. /Oblg. Honey pot by UnknownSoldier · · Score: 4, Funny

    /sarcasm Like I'm going to fall for "Have I Been Pwned" -- that's just a honeypot ! =P

    1. Re:/Oblg. Honey pot by thermopile · · Score: 4, Informative
      Here's Troy's write-up of the incident, which is better than the ZD net account:

      https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

      --

      "Diplomacy is something you do until you find a rock." --Richard Pound

    2. Re:/Oblg. Honey pot by davmoo · · Score: 2

      Crap. Didn't realize I wasn't logged in until I hit 'submit'. So let's try this again so that it might actually show up instead of being a hidden 'anonymous coward'.

      Actually he does have links for downloadable copies of the database. Go to the "Passwords" tab and scroll down to the bottom. But all the data is encoded SHA-1 or NTLM. It's not a clear text database. So I doubt having a local copy would be useful for a dictionary search.

      --
      I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
  2. They have a great API by piojo · · Score: 5, Informative

    I love their API. You can do a search without submitting any sensitive information. Not even a full sha1sum. You send a partial sha1sum, and they send back possible matches. Locally, you see if any are exact matches.

    Here is a bash/zsh function which looks up a password (obviously without printing it to console or sending it anywhere):

    function haveibeenpwned() {
    echo "Enter password to check:"
    stty -echo
    read line
    stty echo
    echo
    local sha1="$(echo -n "$line" | sha1sum - | cut -f1 -d' ')"
    echo sha1 is "$sha1"
    local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
    local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
    echo "Searching for prefix: $prefix and suffix: $suffix"
    echo
    curl "https://api.pwnedpasswords.com/range/$prefix" 2>/dev/null | grep -i "$suffix"
    }

    --
    A cat can't teach a dog to bark.
  3. I'm probably in there by steveha · · Score: 5, Interesting

    Starting a couple of months ago, I've received a huge number of extortion emails. At this point it's extortion spam.

    All the emails follow the same pattern, and all including somewhere (usually in the To: line, for some reason) an old "burner" password I used on web sites where I don't care if the password leaks.
      Here's a rough paraphrase:

    Hi, I'm an elite international hacker, and I've hacked your email. You can tell I'm for real because I used your own email account to send this to you.

    Go ahead and change your password, but it's too late to protect you from me. I installed a secret program on your computer and it has been logging everything you do, including collecting images from your computer's webcam. I have collected a list of all the porn sites you visit and made a video showing what you were doing while you visited them. You have interesting tastes in porn, don't you!

    When you opened this email a timer was automatically started, and you have 48 hours to pay me money or else my automatic program will send all the dirt I have on you to all your friends I harvested from your email address book.

    You can use $CRYPTOCURRENCY to send me the money. Send $AMOUNT to $ID_NUMBER. [$AMOUT is usually $700 or $800 or so.] If you don't know how to use cryptocurrency, just Google it, it's easy.

    Be more careful in the future so this doesn't happen again to you.

    I have received dozens of copies of this email, with the text slightly different. Some of them end with "Don't hate me, everyone needs to do their own job." Some of them call the mysterious malware "RAT software". A couple of times the email was translated into Japanese. (I can read just a little bit of Japanese and was able to recognize it, and I showed it to a fluent friend who confirmed that it fit the above pattern.)

    <sarcasm>I must say, my computer is running pretty well considering how many elite international hackers have been messing with it and installing RAT software and such.</sarcasm>

    As it happens, I got one copy of the email at least a week before the deluge started. I realized it would have been very scary for someone who uses the same password everywhere and doesn't know how easy it is to forge the "From:" header. Doubly scary if that person actually visits porn sites.

    --
    lf(1): it's like ls(1) but sorts filenames by extension, tersely
    1. Re:I'm probably in there by thegarbz · · Score: 2

      Yeah well that's because of all the porn you surf. It says so right in the email. :-P

    2. Re:I'm probably in there by AmiMoJo · · Score: 4, Funny

      I'm tempted to email one back asking them to send the videos out, because I saw this great porn video but can't find it now and maybe they captured it. Plus I want to change my avatar to my orgasm face but am having trouble triggering my camera at the right moment, and my mum won't help.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. How to make the search safe by shanen · · Score: 2

    Exactly my reaction. The "checking" system should NOT ask for your email address. For example, it could ask for substrings, perhaps four letters at a time, and tell you how many possibilities there are. If there are too many to scan to see if you've been included, then you could enter another four characters and refine the search. At no point should you need to give away the email address you're trying to check.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  5. Using BASH RegEx by DrYak · · Score: 4, Informative

    local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
    local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"

    For recent Bash versions that have built-in RegEx :

    [[ "${sha1}" =~ ^(.....)(.*)$ ]]
    local prefix="${BASH_REMATCH[1]}"
    local suffix="${BASH_REMATCH[2]}"

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  6. everybody is acting all surprised.... by WolfgangVL · · Score: 4, Interesting

    Just stop sharing your damn creds. If you can't do that, then stop sharing THE damn creds.

    "Jail the execs!"
    "Hold them accountable!"
    "Fine them!"
    "We need new laws!"

    None of that shit is going to happen. If you keep making accounts for every little thing, pretty soon I'm gonna need to create a throwaway account to pump fkg gas. Just stop.

    Checkout as guest. No thanks. I do NOT agree.

    Do you really NEED an account for everydumbthing.com?

    Creds have value, otherwise, you would not be asked to give them away every other keystroke. Treat them as such.

    Sometimes, the only way to win is not to play.

    --
    You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
  7. Re:Criminal Liability? by dwillden · · Score: 2

    I already do all that. But none of that addresses the issue that most of these breaches are not due to some exotic zero-day exploit but from company after company not bothering to properly secure their data storage against the simplest of hacks and phishing attempts. Phish the right secretary who shouldn't have the access to those accounts and yet somehow she does and we have a breach.

    Yes there will always be some vulnerabilities. But how often do you hear of Banks having their financial systems hacked? Not very often. And it's because they are liable for the money they are entrusted with. Security is possible, and not that difficult. But too many companies that are so eager to hoover in and aggregate all our data barely bother with security.

    It's time to make allowing these breaches criminal. In court if they can prove it was a true zero-day exploit then they can be excused. But if it's determined to be a common and easily blocked attack then they deserve the liability, and any fines that come with it.

    --
    I'm too lazy to compose a creative sig.