Slashdot Mirror
Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com)
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
One effect of these seeming continuous reports of data breaches of all sorts of internet companies is the changes to the types of Spam/phishing emails I am receiving.
It's most disturbing to see your password in the clear, in an email subject, along with an email explaining you've been hacked and blah blah send us bitcoin or we'll do stuff. Whatever.
Personally I was a bit alarmed by this initially, but also, it was my least important password, the one I use I garbage sites once to download a forum post or similar things.
But you know, other people who may not be wise enough to not use the same password on different sites, they might take this sort of email entirely differently. As I said, it alarmed me initially. Certainly got me to inspect all my gear for signs of compromise.
Later in the evening, after finding no evidence of any tampering on any of my stuff, I concluded it must have been a hacked site's data falling into a phishing outfit's hands. It was my least 'secure' password that I throw at sites I don't really plan to use more than once.
Watch out for these emails, is what i'm saying here. They can really unnerve even a old dinosaur like myself.
Having a RFC to standardize length, characters and expiry dates would be a good first step
Oh my god a million times this. I was just talking with someone this morning about how they create a password that can be variable for various sites, etc but still complicated. But then you hit that site/authentication that won't take caps, or only takes some special characters, and it completely breaks down.