Slashdot Mirror
Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com)
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Grab your popcorn, this'll turn into a religious fight over proper password curation. Let the games begin.
I don't trust companies that aren't FAANG or owned by FAANG to not get breached. The FAANG of course be breached too, but rudderless shitshows like Yahoo were obviously sitting ducks, and bullshit startups completely focused on the ol' hockey-stick growth due to VC pressure sure aren't going to prioritize security while in a "move fast and break things" stage.
Any white hats create a DB lookup tool to allow people to check if their account was compromised?
Better known as 318230.
At that amount of records, I wonder if they simply took all the leaks before, and combined them, to get into the news, and assumed (correctly) that the press wouldn't care.
why can someone not just steal your mobile phone number?
-
all these username and password breaches sound like a conspiracy to strip user of their last bit of anonymity.
by forcing users to two-factor authentication, with ephasize on relying on the mobile phone network, users lose their
last vestiges of anonymity.
why? because registering a mobile phone number as two-factor authentication with a username and password ties this account uniquely to you. obviously mobile phones are tracked and most phone numbers get a monthly bill that has to go to real (snail) mail address or such.
i am not counting on advertisement-revenue driven websites to improve their anonymous username:password only accounts AT ALL!
(go yubi-key? the yubi-key doesn't need to track you and doesn't need to send you monthly bills but is a hardware token like a SIM-card is?)
I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness. Most places have forced password changes.
The level of reuse password at $COMPANY) is the same as user@$COMPANY.com on linkedIn is pretty much gone. Most shops have turned up complexity since then as well. So even doing statistics by industry/region/application type/ etc and picking the most frequently used passwords for brute force attacks isn't paying off nearly so often.
That isn't to say the word lists don't work frequently. Its not say they don't get you a cracked hash or two when you can get hold of an apps password database or some NTDS.dit files. They do but its not getting you accounts that are highly privileged any more; at least not much better than even older stuff like rockyou right there in kali does. You bob in stock rooms account this way. You get busted right away using that account by the SEIM as well because Bob only logs in once a week normal to read e-mail, the moment you touch another system with his account flags go up..
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Seriously, this is all old stuff, people have been notified and many accounts are not even active. Anybody that uses minimal sane security (i.e. good passwords and no reuse, just use a password-manager) are not at risk at all. Others would be at risk even without this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Make every single website you visit have a unique password.
Then also change those passwords often.
Do this to the point where you can't even remember the password and have to use 'reset password' anyway.
Alternatively, use a password manager and make everything depend on a single point of failure
I wonder if these are the same hackers who installed a malware on my favorite 18+ videos site that made my browser start a remote control desktop and keylogger and allowed them to take control of my cam. (I didn't even know I had a cam!!) And they got my contacts and made a video of what I was watching and what I was doing when I was watching the 18+ videos, and they're going to send it to all my contacts unless I pay a bitcoin.
People really need to stop trusting the Internet.
Rick Schumann
This is half smart-ass and half not. But, I have about 5 old accounts on Yahoo and others that I'd like to get access too. Maybe I should get a copy of the database to see if I could recover my passwords?
We don't need no stinking tranches
> ...like Dropbox and LinkedIn...
Why doesn't the article or the .de site list which breaches are included?
This is why companies don't take security seriously: huge leaks like those, and for both Dropbox and Linkedin it is pretty business as usual. In essence, no really serious backlash on them, no responsibilities to honor. It's cheaper for them to do nothing and absorb the cost of such breaches rather investing in the security that would make them far less likely to happen. As long as the lack of decent security does not affect companies' shareholders bottom lines in really noticeable ways, companies will carry on doing very, very little in this respect, other than paying lip service to security, in order to maintain a credible public facade.
The government doesn't treat of of their 20 billion documents as if they are Too Secret, because that would be totally unworkable. There aren't nearly enough basement servers and Reddit-using community college sysadmins to handle all of that data.
Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account? Your 401k account with $350,000 in it needs to be secure. Your password for commenting on Fox News articles doesn't require the same security.
I have basically three passwords (really three patterns for passwords):
Sites I really don't care about. Post on a Fox News comment with my handle; I don't care. These all get almost the same trash password. I'm tempted to post that password here just to demonstrate how much it doesn't matter. This is most sites, which I'll only ever log into once or twice.
Sites I don't want you to have my password for, but it wouldn't do MAJOR damage.
Banking and email. Email is important because it can be used for password resets on other sites.
Based on 20 years in security, including over 10 years analyzing login data from people trying to log in with someone else's account, I think I'm reasonably secure. And I really only remember three password bases. Yeah an old version of my trash password is in the leaks. So what.
The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.
IMHO... Anyone who makes their files internet accessible form a giant service deserves what they get. It's not a safe thing to do.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Google this, OK:
how many ad blockers for how many web browsers and smartphones
It little behooves the best of us to comment on the rest of us.
Except...
Most of them are old news.
Most of them are tiny little independent website that suffered breaches because of things like Wordpress plugins years out of date, etc.
Most of them are Russian, Korean and other such websites.
The "big" websites in there, their data is basically just culled from the big breaches that we already know about.
Everything else is just random spam and junk.
Quite of lot of it is probably so outdated and useless that it's of no use whatsoever any more.
I ran HaveIBeenPwned over my domains (including work) about it. Given that we see a regular staff flux, and staff sign up to all kinds of outside services on their work accounts, something would show. And my personal domains have been in the wild for years and I use individual usernames@mydomain.com as burner accounts for things I *know* are dodgy and are gonna get spammed / hacked.
I got literally 80-90% nonsense (i.e. that email literally has NEVER existed, just made up nonsense, off-by-ones, truncated or padded versions of other usernames on the list, etc.). The rest was just things like known forum-leaks where your username and password for Joe Blogg's Cake Emporium got onto the net. The same was true of all my domains - thousands of users, many of them have left and left their accounts active on defunct sites, decades of history, all kinds of external services plugged into on a regular basis.
And nothing that even hinted at a valid username and password combination.
Some kid copy/pasted every "leak" they found in the wild, in the process hitting upon data not only years out of date but also incorrectly formatted and column-sliced so that a lot of nonsense came out. They shoved it into a folder somewhere and someone found it.
Just because it has 2 billion entries means nothing. I probably have 100+ accounts, just from my recent stuff online, let alone everything back to the ages of some of those "leaks". And 90% of it is absolute made-up junk.
That takes it down to 18 million people affected before you even start. 18 million people probably use the password "password" for at least one account that they don't care about.
It's not a huge leak of ultra-secret information from Microsoft, Google, Facebook, governments, etc. It's a copy-paste of every tiny leak that's already happened, back to decades-old exploits of tiny mom'n'pop websites, collected into one (presumably multi-gigabyte) file.
There would be more damaging information in even a single multi-gigabyte customer database from any major supermarket. At least it would stand a decent chance of being correctly formatted, up-to-date, containing recent details, and have something "potentially damaging" inside it.
Talk about overblown.
When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web.
Am I the only one who is actually happy these details were just dropped out in the open for anyone to see?
This devalues our personal data significantly. Who the hell wants to spend any amount of money at all on my personal data when you can now just download it for free? This is an enormous blow to the black market; shady data brokers must be tearing their hair out in handfuls over this!
All my passwords are just the word password and I'm cripplingly poor! I've been wasting hackers time for years.
The best outcome would be for every password, SSN, credit score, and any other personally sensitive information to be leaked and in the open. That way, identity theft would be impossible because no one would trust this information. Right now, to stop fraud and identity theft, every single corporation wants every single scrap of information about everyone to prove they are who they say they are, but that just builds bigger and bigger databases of PII all over the place, making the problem worse. We need a better solution, and when every single SSN is available for every single person, then something besides an SSN will have to be used to establish identity.
I had to take a Megaleak one time. Man that felt good!
One effect of these seeming continuous reports of data breaches of all sorts of internet companies is the changes to the types of Spam/phishing emails I am receiving.
It's most disturbing to see your password in the clear, in an email subject, along with an email explaining you've been hacked and blah blah send us bitcoin or we'll do stuff. Whatever.
Personally I was a bit alarmed by this initially, but also, it was my least important password, the one I use I garbage sites once to download a forum post or similar things.
But you know, other people who may not be wise enough to not use the same password on different sites, they might take this sort of email entirely differently. As I said, it alarmed me initially. Certainly got me to inspect all my gear for signs of compromise.
Later in the evening, after finding no evidence of any tampering on any of my stuff, I concluded it must have been a hacked site's data falling into a phishing outfit's hands. It was my least 'secure' password that I throw at sites I don't really plan to use more than once.
Watch out for these emails, is what i'm saying here. They can really unnerve even a old dinosaur like myself.
There are really three possibilities here, either you're not in the list, you ARE in the list and you know it, or you ARE in the list and you don't know it.
Since the only "you need to change your password immediately" is only the response for one of those situations, knowing you're in such a list is very important. It lets you know you need to take action.
It's actually worse if you're in a list like that and you have no way of knowing it, (like if it's only being passed around on darkweb sites) because you don't get any warning to change your password until after someone has abused it. So be thankful that the list is available for you to check, instead of only available to the criminals that would much prefer to have a head start on emptying your bank account.
I work for the Department of Redundancy Department.
That's what password managers are for. Anyway for cloud storage and backup, simply encrypt before sending. More work on your end, but one doesn't lose everything if there's a breach.
I was writing / editing that post super quickly because it was time for Scrum.
I murdered the English language.
Short movie. Godzilla snacks on an oversized vegetable while trashing a Tokyo farmer's market. Michael Bay edits in a bunch of explosions with each crunchy bite.
I downloaded an older, smaller version of this a couple of years ago to play with. The download was over 20 GB compressed. It decompressed to a plain text file that was vastly more than that. Searching it with traditional text tools was impossible in any reasonable time. It was too large to load into any of the simpler free databases and index it. I finally got it loaded into a table in MySQL and it was still bringing my quad-core i7 laptop to its knees. I fed it into a cracking program to test against a file brute forced from my WiFi and at the rate it was going it would have taken weeks to run the whole database. The experience left my feeling pretty safe from attack using files like this.
At some point, there will be so many passwords available on this list that using the list for a brute force attack that tries all of those passwords won't be much more effective than a true brute force attack. We may already be near that for users without specially equipped machines.
msmash needs a moment to shout "hackers" for no reason. Today it was wired that served.