Hackers Are Passing Around a Megaleak of 2.2 Billion Records

An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

sounds cool?

why can someone not just steal your mobile phone number?
-
all these username and password breaches sound like a conspiracy to strip user of their last bit of anonymity.
by forcing users to two-factor authentication, with ephasize on relying on the mobile phone network, users lose their
last vestiges of anonymity.
why? because registering a mobile phone number as two-factor authentication with a username and password ties this account uniquely to you. obviously mobile phones are tracked and most phone numbers get a monthly bill that has to go to real (snail) mail address or such.
i am not counting on advertisement-revenue driven websites to improve their anonymous username:password only accounts AT ALL!

(go yubi-key? the yubi-key doesn't need to track you and doesn't need to send you monthly bills but is a hardware token like a SIM-card is?)

Breach

[ledow]

Except...

Most of them are old news.
Most of them are tiny little independent website that suffered breaches because of things like Wordpress plugins years out of date, etc.
Most of them are Russian, Korean and other such websites.
The "big" websites in there, their data is basically just culled from the big breaches that we already know about.
Everything else is just random spam and junk.
Quite of lot of it is probably so outdated and useless that it's of no use whatsoever any more.

I ran HaveIBeenPwned over my domains (including work) about it. Given that we see a regular staff flux, and staff sign up to all kinds of outside services on their work accounts, something would show. And my personal domains have been in the wild for years and I use individual usernames@mydomain.com as burner accounts for things I *know* are dodgy and are gonna get spammed / hacked.

I got literally 80-90% nonsense (i.e. that email literally has NEVER existed, just made up nonsense, off-by-ones, truncated or padded versions of other usernames on the list, etc.). The rest was just things like known forum-leaks where your username and password for Joe Blogg's Cake Emporium got onto the net. The same was true of all my domains - thousands of users, many of them have left and left their accounts active on defunct sites, decades of history, all kinds of external services plugged into on a regular basis.

And nothing that even hinted at a valid username and password combination.

Some kid copy/pasted every "leak" they found in the wild, in the process hitting upon data not only years out of date but also incorrectly formatted and column-sliced so that a lot of nonsense came out. They shoved it into a folder somewhere and someone found it.

Just because it has 2 billion entries means nothing. I probably have 100+ accounts, just from my recent stuff online, let alone everything back to the ages of some of those "leaks". And 90% of it is absolute made-up junk.

That takes it down to 18 million people affected before you even start. 18 million people probably use the password "password" for at least one account that they don't care about.

It's not a huge leak of ultra-secret information from Microsoft, Google, Facebook, governments, etc. It's a copy-paste of every tiny leak that's already happened, back to decades-old exploits of tiny mom'n'pop websites, collected into one (presumably multi-gigabyte) file.

There would be more damaging information in even a single multi-gigabyte customer database from any major supermarket. At least it would stand a decent chance of being correctly formatted, up-to-date, containing recent details, and have something "potentially damaging" inside it.

Talk about overblown.

Re:Popcorn

[UnknownSoldier]

Security is seen as an inconvenience / hassle by the majority so, sadly, it gets ignored, until they get p0wned. :-/

I've posted about Inconsistent password policies for length, characters and expiry dates back in 2012

Duration depends on context. Some people need passwords that expire every second (thus the proliferation of authenticators), some every day, some every week, some every month, some every few months. I don't believe there is a "one size fits all policy."

Having a RFC to standardize length, characters and expiry dates would be a good first step.

Right now having no standard has been a complete clusterfuck as every week it seems like someone is reporting a "data breach."