Slashdot Mirror
Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com)
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Assuming you're not having a laugh. Troy Hunt does this.
https://haveibeenpwned.com/
I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness. Most places have forced password changes.
The level of reuse password at $COMPANY) is the same as user@$COMPANY.com on linkedIn is pretty much gone. Most shops have turned up complexity since then as well. So even doing statistics by industry/region/application type/ etc and picking the most frequently used passwords for brute force attacks isn't paying off nearly so often.
That isn't to say the word lists don't work frequently. Its not say they don't get you a cracked hash or two when you can get hold of an apps password database or some NTDS.dit files. They do but its not getting you accounts that are highly privileged any more; at least not much better than even older stuff like rockyou right there in kali does. You bob in stock rooms account this way. You get busted right away using that account by the SEIM as well because Bob only logs in once a week normal to read e-mail, the moment you touch another system with his account flags go up..
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The government doesn't treat of of their 20 billion documents as if they are Too Secret, because that would be totally unworkable. There aren't nearly enough basement servers and Reddit-using community college sysadmins to handle all of that data.
Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account? Your 401k account with $350,000 in it needs to be secure. Your password for commenting on Fox News articles doesn't require the same security.
I have basically three passwords (really three patterns for passwords):
Sites I really don't care about. Post on a Fox News comment with my handle; I don't care. These all get almost the same trash password. I'm tempted to post that password here just to demonstrate how much it doesn't matter. This is most sites, which I'll only ever log into once or twice.
Sites I don't want you to have my password for, but it wouldn't do MAJOR damage.
Banking and email. Email is important because it can be used for password resets on other sites.
Based on 20 years in security, including over 10 years analyzing login data from people trying to log in with someone else's account, I think I'm reasonably secure. And I really only remember three password bases. Yeah an old version of my trash password is in the leaks. So what.
The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.