Slashdot Mirror
That 773M Password 'Megabreach' is Years Old (krebsonsecurity.com)
Security reporter Brian Krebs writes: My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.
Password.
why i haven't gotten any email since 2015?
Have a unique password for each and every site you visit, and then also change them often to the point where they aren't memorable and you end up using 'forgot password'. To get around that, use a password manager, and have everything linked to a single point of failure!
Than to trust anything to be safe online. Hijacking Hotmail used to be as simple as guessing their single security question.
Title says 773M password breach.
TFS says 773M email addresses and 21M passwords.
Is it even possible for our editors to make TFS and title consistent, never mind TFS and TFA?
For that matter, why is the link for TFA to a /. post from yesterday, and not consistent with that /. post, much less itself?
"I do not agree with what you say, but I will defend to the death your right to say it"
But you knew this already - you've surely received several "Hi, I'm a hacker, I installed a trojan on your router" spam crap, you've identified (by the password) the crappy website it was stolen from, maybe even changed it, then you checked the mail headers, saw that it came from a PC from India or Saudi Arabia and went on with your daily life.
After all, you're a "hacker" on Slashdot.
That 773M Password 'Megabreach' is Years Old
OMG -- my password is "Years Old" -- they finally GOT me!
Now they can change my free Pandora account to listen to whatever stations they want (albeit with commercials) and I can't stop them. Whatever shall I do?
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
The current official guidelines, and what I've been saying for a long time, is don't change most passwords regularly. Exactly because you need to remember them.
We can conveniently separate passwords into low-impact (Slashdot) and high-impact (banking and email). Frankly, my Slashdot password doesn't need to be super secure. It can even be the same as my Discus password.
We want high-risk sites to have long passwords, and while we need to remember the password, there is some advantage to occasionally updating it. A way to achieve both is to *add* a couple characters every year or so. Maybe in 2005, a passphrase of "yummY pickle leaf$" was good enough. In 2006, I'd make it "yummY pickle leaf$ cake" or "yummY red pickle leaf$". I've changed it, but I'm leveraging my existing memory of it.
For low-risk sites, one can have a shared base passphrase and add an extension. So:
Slashdot: BarBoltCamSL
Reddit: BarBoltCamRE
Discus: BarBoltCamDi
That's not super secure, but I don't need my Slashdot posts to be super secure.
....not only is it years old, but the "is my password hacked" check is astonishingly stupid?
So...if I'm worried that my pw might have gotten into the wild, I should "check it" by entering it into a nonsecure form on some dodgy unattributed site? Really?
Should I also send them my bank access info so they can make sure that wasn't hacked as well?
-Styopa
If you read about it, your password isn't sent. It requests all matching hashes with the same prefix as your password(which your browser hashes), then the browser checks for any matches in the returned data set.
k-Anonymity.
The only risk I see is that you accidentally enter your password into a fake version of the website that doesn't do that. For that, there is an API you can use directly.
KeePass is a good choice. "Or similar" leads to many bad options unless you're very, very careful.
I'd still keep my banking and email password only in my head. Email is important because it can be used to reset all of your other passwords.
Length of passphrase is more important than including punctuation or even randomish-case. Certainly adding a digit on the end and a punctuation mark doesn't help much, because everybody does "Whatever1!".
Speaking of other password managers, a few months ago Corporate Security at the company I worked for chose an official password manager for employees to use. The problem is, we're a security company, full of people who look for security flaws for a living, I've been told that choosing one was rough because people kept pointing out known flaws in each option. It couldn't have been nearly as bad as after they announced the choice, though. We ripped into it. Employees all over the company not only demonstrated why the chosen password manager was totally unacceptable, but so was every option that Corp Sec had suggested for consideration. It was brutal. Almost everything had known flaws - not to mention probably unknown flaws.
They finally ended up suggesting, but not requiring, 1Password. You do have vendor lock-in with 1Password, I think. With KeePass you don't, so that's one I've used personally.*
* Mostly I use one based on gpg which I wrote. Writing one is a really bad idea for most people. Only people who do cryptography and security for a living should even think about writing one. It just so happens I've been doing it professionally for 20 years.