Slashdot Mirror
Hackers Are Passing Around a Megaleak of 2.2 Billion Records (wired.com)
An anonymous reader shares a report: When hackers breached companies like Dropbox and LinkedIn in recent years -- stealing 71 and 117 million passwords, respectively -- they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2-5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.
Assuming you're not having a laugh. Troy Hunt does this.
https://haveibeenpwned.com/
I use this data a lot and I can tell you that most of it is pretty old now. Old enough that its very very rapidly declining in usefulness. Most places have forced password changes.
The level of reuse password at $COMPANY) is the same as user@$COMPANY.com on linkedIn is pretty much gone. Most shops have turned up complexity since then as well. So even doing statistics by industry/region/application type/ etc and picking the most frequently used passwords for brute force attacks isn't paying off nearly so often.
That isn't to say the word lists don't work frequently. Its not say they don't get you a cracked hash or two when you can get hold of an apps password database or some NTDS.dit files. They do but its not getting you accounts that are highly privileged any more; at least not much better than even older stuff like rockyou right there in kali does. You bob in stock rooms account this way. You get busted right away using that account by the SEIM as well because Bob only logs in once a week normal to read e-mail, the moment you touch another system with his account flags go up..
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I wonder if these are the same hackers who installed a malware on my favorite 18+ videos site that made my browser start a remote control desktop and keylogger and allowed them to take control of my cam. (I didn't even know I had a cam!!) And they got my contacts and made a video of what I was watching and what I was doing when I was watching the 18+ videos, and they're going to send it to all my contacts unless I pay a bitcoin.
The government doesn't treat of of their 20 billion documents as if they are Too Secret, because that would be totally unworkable. There aren't nearly enough basement servers and Reddit-using community college sysadmins to handle all of that data.
Why would YOU treat your Discus account or that place you ordered a USB cable from the same as the same security level as your bank account? Your 401k account with $350,000 in it needs to be secure. Your password for commenting on Fox News articles doesn't require the same security.
I have basically three passwords (really three patterns for passwords):
Sites I really don't care about. Post on a Fox News comment with my handle; I don't care. These all get almost the same trash password. I'm tempted to post that password here just to demonstrate how much it doesn't matter. This is most sites, which I'll only ever log into once or twice.
Sites I don't want you to have my password for, but it wouldn't do MAJOR damage.
Banking and email. Email is important because it can be used for password resets on other sites.
Based on 20 years in security, including over 10 years analyzing login data from people trying to log in with someone else's account, I think I'm reasonably secure. And I really only remember three password bases. Yeah an old version of my trash password is in the leaks. So what.
The other thing I do is add a couple of characters every year. That way the old password doesn't work, and I'm still using the memory of the password I was using ten years ago - just with more stuff added.
Except...
Most of them are old news.
Most of them are tiny little independent website that suffered breaches because of things like Wordpress plugins years out of date, etc.
Most of them are Russian, Korean and other such websites.
The "big" websites in there, their data is basically just culled from the big breaches that we already know about.
Everything else is just random spam and junk.
Quite of lot of it is probably so outdated and useless that it's of no use whatsoever any more.
I ran HaveIBeenPwned over my domains (including work) about it. Given that we see a regular staff flux, and staff sign up to all kinds of outside services on their work accounts, something would show. And my personal domains have been in the wild for years and I use individual usernames@mydomain.com as burner accounts for things I *know* are dodgy and are gonna get spammed / hacked.
I got literally 80-90% nonsense (i.e. that email literally has NEVER existed, just made up nonsense, off-by-ones, truncated or padded versions of other usernames on the list, etc.). The rest was just things like known forum-leaks where your username and password for Joe Blogg's Cake Emporium got onto the net. The same was true of all my domains - thousands of users, many of them have left and left their accounts active on defunct sites, decades of history, all kinds of external services plugged into on a regular basis.
And nothing that even hinted at a valid username and password combination.
Some kid copy/pasted every "leak" they found in the wild, in the process hitting upon data not only years out of date but also incorrectly formatted and column-sliced so that a lot of nonsense came out. They shoved it into a folder somewhere and someone found it.
Just because it has 2 billion entries means nothing. I probably have 100+ accounts, just from my recent stuff online, let alone everything back to the ages of some of those "leaks". And 90% of it is absolute made-up junk.
That takes it down to 18 million people affected before you even start. 18 million people probably use the password "password" for at least one account that they don't care about.
It's not a huge leak of ultra-secret information from Microsoft, Google, Facebook, governments, etc. It's a copy-paste of every tiny leak that's already happened, back to decades-old exploits of tiny mom'n'pop websites, collected into one (presumably multi-gigabyte) file.
There would be more damaging information in even a single multi-gigabyte customer database from any major supermarket. At least it would stand a decent chance of being correctly formatted, up-to-date, containing recent details, and have something "potentially damaging" inside it.
Talk about overblown.
Security is seen as an inconvenience / hassle by the majority so, sadly, it gets ignored, until they get p0wned. :-/
I've posted about Inconsistent password policies for length, characters and expiry dates back in 2012
Duration depends on context. Some people need passwords that expire every second (thus the proliferation of authenticators), some every day, some every week, some every month, some every few months. I don't believe there is a "one size fits all policy."
Having a RFC to standardize length, characters and expiry dates would be a good first step.
Right now having no standard has been a complete clusterfuck as every week it seems like someone is reporting a "data breach."
Passwords should be chosen to make sure that they do not harm any unborn children, because THEY ARE PEOPLE. Passwords must not be allowed to infringe our right to bear arms. Passwords should not pick winners and losers. Passwords should be selected with the understanding that America was founded as a Christian nation. Passwords should not be used as an excuse to make election day a national holiday, nor should passwords enable black or poor people to vote. Do not use a password's youth and inexperience against it. American taxpayers say they won't pay for a longer password, so guess what, the password just got five billion American taxpayer dollars longer. Passwords understand the importance of bondage between a mother and child. Passwords put food on American families. Passwords took the initiative in creating the internet.
"Believe me!" -- Donald Trump
One effect of these seeming continuous reports of data breaches of all sorts of internet companies is the changes to the types of Spam/phishing emails I am receiving.
It's most disturbing to see your password in the clear, in an email subject, along with an email explaining you've been hacked and blah blah send us bitcoin or we'll do stuff. Whatever.
Personally I was a bit alarmed by this initially, but also, it was my least important password, the one I use I garbage sites once to download a forum post or similar things.
But you know, other people who may not be wise enough to not use the same password on different sites, they might take this sort of email entirely differently. As I said, it alarmed me initially. Certainly got me to inspect all my gear for signs of compromise.
Later in the evening, after finding no evidence of any tampering on any of my stuff, I concluded it must have been a hacked site's data falling into a phishing outfit's hands. It was my least 'secure' password that I throw at sites I don't really plan to use more than once.
Watch out for these emails, is what i'm saying here. They can really unnerve even a old dinosaur like myself.
Having a RFC to standardize length, characters and expiry dates would be a good first step
Oh my god a million times this. I was just talking with someone this morning about how they create a password that can be variable for various sites, etc but still complicated. But then you hit that site/authentication that won't take caps, or only takes some special characters, and it completely breaks down.