Slashdot Mirror
That 773M Password 'Megabreach' is Years Old (krebsonsecurity.com)
Security reporter Brian Krebs writes: My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources." KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.
It says 773M email addresses and 21 million *unique* passwords.
I think the key here is that associated with those 773 million email addresses, there are 21 million unique passwords. So, they have 773 million email address entries and there are passwords associated with those 773 million email addresses, and of those 773 million passwords, 21 million of them are unique.
So, if I were setting up a password cracker, I could preload it with those 21 million unique passwords and I'd have a pretty good start.
--JLockard - "Some mornings, it's just not worth chewing through the leather straps." - Emo Phillips
The current official guidelines, and what I've been saying for a long time, is don't change most passwords regularly. Exactly because you need to remember them.
We can conveniently separate passwords into low-impact (Slashdot) and high-impact (banking and email). Frankly, my Slashdot password doesn't need to be super secure. It can even be the same as my Discus password.
We want high-risk sites to have long passwords, and while we need to remember the password, there is some advantage to occasionally updating it. A way to achieve both is to *add* a couple characters every year or so. Maybe in 2005, a passphrase of "yummY pickle leaf$" was good enough. In 2006, I'd make it "yummY pickle leaf$ cake" or "yummY red pickle leaf$". I've changed it, but I'm leveraging my existing memory of it.
For low-risk sites, one can have a shared base passphrase and add an extension. So:
Slashdot: BarBoltCamSL
Reddit: BarBoltCamRE
Discus: BarBoltCamDi
That's not super secure, but I don't need my Slashdot posts to be super secure.