cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,061
Troy Hunt is a Microsoft Regional Director and is the owner and creator of Have I Been Owned (HIBP). Today he alerted the security community to a massive 87GB data breach that the hacker community calls "Collection #1." It contains 773 million unique email addresses, 1.1 billion unique combinations of email addresses and passwords, and over 21 million unique passwords. The data dump is from a MEGA collection that a hacker community forum used to upload stolen credentials to as they shared their latest escapades. Since "Collection #1" has so many individual hackers associated with it, verifying all of the data breaches at individual companies is extremely time consuming. Curious consumers can use HIBP to check to see if their email address is part of the collection and they can use Pwned Passwords to see if their password has been compromised.

What's the Risk If My Data Is in There? I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.
 
Dang that sucks for people who utilize the same log-in information across sites.

I've been using my own custom algorithm for developing strong, unique and memorable passwords for sites for years now. You're screwed if someone discovers your algorithm but that isn't likely.

Also, if a site offers 2FA just use it for crying out loud.
 
Last edited:
Dang that sucks for people who utilize the same log-in information across sites.

My coworker just got hit on multiple fronts. A "hacker" tried to access and change his bank, Instagram, and other passwords associated with pwn3d credentials. Needless to say: he learned the hard way not to use the same user ID/password combo everywhere.

Happened to me with the Gawker breach nearly 10 years ago, so I've been using unique passwords for every website since. I still use a common base password, but integrate a clue about the website in the password (e.g. the color of the logo, website name shifted upwards). I don't use a manager, I can generally use this system across the board.
 
Last edited:
https://haveibeenpwned.com/
Collection #1 (unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Compromised data: Email addresses, Passwords
Pwned.

This is all kind of useless, because I don't know which password(s) were pwned and inputting all of my passwords into that site would be freely giving them over to an unknown entity - why would I do that?
 
Last edited:
I use 1Password and am trying to teach my family members to use it. My wife had the same password - to make it worse, it was not even close to a strong password. I typed it in the Pwned database - it came up over 300k times.
I tried one of my old passwords I used in a few places - it came up 3 since it was relatively strong. I'm certain it was exposed in a breach.
It took some time, but each one of my accounts is using a random password. My challenge questions (favorite color, school mascot, etc) are also treated as passwords.
If I ever lose access to my password vault, I'm screwed I guess.
 
  • Like
Reactions: DocNo
like this
Troy Hunt is a Microsoft Regional Director and is the owner and creator of Have I Been Owned (HIBP). Today he alerted the security community to a massive 87GB data breach that the hacker community calls "Collection #1." It contains 773 million unique email addresses, 1.1 billion unique combinations of email addresses and passwords, and over 21 million unique passwords. The data dump is from a MEGA collection that a hacker community forum used to upload stolen credentials to as they shared their latest escapades. Since "Collection #1" has so many individual hackers associated with it, verifying all of the data breaches at individual companies is extremely time consuming. Curious consumers can use HIBP to check to see if their email address is part of the collection and they can use Pwned Passwords to see if their password has been compromised.

What's the Risk If My Data Is in There? I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.

Does anyone have a link to the data?
 
I'm so glad I started using KeePass. Great little program to help fight this kind of crap.


Same here, but I'm using keepassXC as that fork is still in active development, where regular keepass has tapered off. Browser plugins work MUCH better with XC.

I also went the keepassxc route as that's the only password software that keeps everything on a local DB. I do not trust storing all my passwords on some other companies SAAS platform, and if their service goes down you're screwed. I have a nextcloud server at home that I use to store my DB file and sync between all my devices. Works great, and if my nextcloud server goes down, I still have a sync'd copy locally.
 
Some new sources from that list that you might have had an account on -

Malwarebytes
VBulliten
Plex.tv
Daemon-tools
 
Looks like my email was leaked on 8 sites, luckily I use different PWs.


Same, saw the PW site and said F that.

I thought about using it from a different system that I have ABSOLUTELY no accounts on. But, I don't have access to any.
 
https://haveibeenpwned.com/
Pwned.

This is all kind of useless, because I don't know which password(s) were pwned and inputting all of my passwords into that site would be freely giving them over to an unknown entity - why would I do that?

The site only cross checks between what they have on file and what you inputted, there's no other saving being done. You can also download the entire leaked pw list yourself if you scroll down.
 
Well two of my "yahoo related" email accounts were on that list. Wouldn't surprise me if the yehoo entities (AT&T) go hacked and are dragging their feet "doing an investigation". Of course I use those email addresses primarily for ... well sites like this, that are 'unimportant' so who knows if it was site or email that is hacked, but being as my email passwords don't show up as being pwned I'm guessing some random shit, like I see one email related to "ArmorGames" like seriously from who knows when. So fuck if I care about that. Both are connected to "Collection #1" though, so who knows if this is just reusing old information to make a bigger list or if this is all new information.
 
1Password user here. Finally got my parents to use and they are now working on their friends. Sometimes they do listen and it's amazing :)

Anyone not using a password manager or some strategy to avoid reusing passwords is just asking for it.
 
...Of course I use those email addresses primarily for ... well sites like this, that are 'unimportant'...

giphy.gif
 
Wouldn't surprise me with all this "weak" security out there by companies who apparently do a piss poor job of encrypting things like... passwords, and the call for 2 step verification or a phone number to authenticate these companies are just finding new ways to mine data from you.
 
https://haveibeenpwned.com/
Pwned.

This is all kind of useless, because I don't know which password(s) were pwned and inputting all of my passwords into that site would be freely giving them over to an unknown entity - why would I do that?

I used to this HIBP was interesting and useful. Now it's only real use is maybe convincing someone their their password and their habits of sharing it is dangerous. Without churning email addresses with every set of credentials, it gives me no clue about what might have been compromised. Is it my retired password from when adobe got hacked triggering it, or something I use now? Using a password manager and unique passwords these days, verifying them using their password checking service would be prohibitive if I even felt comfortable shoving my password for service X trhough a web from run by service Y and of unknown security status.
 
Well two of my "yahoo related" email accounts were on that list. Wouldn't surprise me if the yehoo entities (AT&T) go hacked and are dragging their feet "doing an investigation". Of course I use those email addresses primarily for ... well sites like this, that are 'unimportant' so who knows if it was site or email that is hacked, but being as my email passwords don't show up as being pwned I'm guessing some random shit, like I see one email related to "ArmorGames" like seriously from who knows when. So fuck if I care about that. Both are connected to "Collection #1" though, so who knows if this is just reusing old information to make a bigger list or if this is all new information.

Yahoo is owned by Verizon.
 
One of my email addresses was subject to exposure a number of times and is an older one that I've been proactively winding down use of:

2019-01-17_14-56-23.jpg

That said, I've currently got almost 400 differing sets of credentials (stored in an IronKey thumbdrive) and never use the same password twice, and always ensure the use of complex passwords. I've also long since closed a majority of the accounts I don't use anymore.

Maybe not 100% foolproof, but it's better than not doing anything and hoping for the best.
 
Last edited:
  • Like
Reactions: DocNo
like this
The password situation has become so burdensome for people it is ridiculous. i loathe having to ask someone for their password , they then go and grab a plethora of papers and books often with several incarnations of credentials and one by one we go through them until they all fail and we end up having to change the password ... again.

while i love key pass and password spread sheets. they scare the hell out of me knowing how reliable people back up their data. combined with thumb drive reliability and the "sales man backup" (its called a back up drive so if you MOVE every thing over to it, its backed up !!) over reliance on those techs scare the hell out of me.

The personal algorithm for creating a password is the best thing in my mind. but getting people to understand that has been extremely difficult.

and while 2fa is great its just another gate to lock you out of your account when you need it most especially when the 2fa device is unavailable for some reason.

what really irritates me is that in most of these cases the actual owner of the account is jumping through more hoops trying to gain access to their accounts than the hackers.

unfortunately it seems like there is little hope in this field. i had read somewhere that several companies had solutions but they have yet to materialize. and even so i still feel they will always be flawed by the one principal that can not be undone and that is the end user. the bane of personal computing ...
 
I call BS on that website. It said my email address was compromised on Disqus as part of a 2012 data breach, but I didn't register until the end of 2014. It looks like a slimy way to get people to signup for 1Password.com.
 
I've had the same email account since 1997, I'm not surprised I'm on the list. I guess changing passwords every....5 years or so is good enough, right? :p
 
Email address was compromised 28 times. I'd expect that since I've had it since I signed up for Gmail as a beta tester. Password is good though, think having it be 16 characters long helps.
 
I was bored this past weekend and spent a little time in my password manager (see, told you I was bored). Between my accounts and my family, we have about 500 entries! The majority are mine - lots of the accounts haven't been used by me in ages. I don't even remember some of them.
Even if I take the time to close some of these out, do I think that the companies/sites are removing my data? Doubtful. It makes me hesitant to open any new accounts. It makes your thumbprint that much bigger.
 
same, i've be pwned 3 times but have no idea how or why.
It actually lists the hows and whys. Basically if you had an account on a service with that email that was ever compromised it will list you as pwned.

My problem is that it doesn't show which password was compromised. I use dozens and I don't want to go around changing all of them everywhere because one of my throw-away passwords was hit.
 
I was bored this past weekend and spent a little time in my password manager (see, told you I was bored). Between my accounts and my family, we have about 500 entries! The majority are mine - lots of the accounts haven't been used by me in ages. I don't even remember some of them.
Even if I take the time to close some of these out, do I think that the companies/sites are removing my data? Doubtful. It makes me hesitant to open any new accounts. It makes your thumbprint that much bigger.
I change these passwords to nonsense garbage that I’d never remember. That way if they do leak...it’s useless.
 
Same here, but I'm using keepassXC as that fork is still in active development, where regular keepass has tapered off. Browser plugins work MUCH better with XC.

I also went the keepassxc route as that's the only password software that keeps everything on a local DB. I do not trust storing all my passwords on some other companies SAAS platform, and if their service goes down you're screwed. I have a nextcloud server at home that I use to store my DB file and sync between all my devices. Works great, and if my nextcloud server goes down, I still have a sync'd copy locally.
I've only got windows machines, and KeePass fits the bill for me. The DB file can be used by keepassXC if I choose to use it on my phone, so there's a plus there. I store the DB file on my NextCloud server, and it gets synced across all my machine.
 
what sucks is I'm apparently in this list, but I have no idea what PW it's for and checking all of them would take me hours. I guess I'll look at financials/bill PWs as well as the ones for my email accounts...hopefully that's enough.
 
the only sane way to keep unique strong passwords for every site you visit etc... is to use something like keepass to encrypt them all and generate on the fly, saved on your own local storage. then you only need a single master password to remember. easy. and it's free....

this hibp, you'd have to use 1password (there is a free trial) load your database, then run the hibp module, change those passwords at the sites, then delete 1password when you done, also delete trash (or continue using it if you want to).

other than 2fa, there are newer standards like U2F and FIDO2


Using a YubiKey in this mode for entering the master password is a transition from something you know to something you have, i.e. it's actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it, your database isn't secure anymore. A YubiKey in static password mode can be seen as a sheet of paper with a password on it.

https://www.yubico.com/works-with-yubikey/catalog/keepass/
 
Last edited:
well as I read this just today. Someone from florida by the name of Lazaro Vega Rodriiguez, got a hold of my best buy account and did 2 instore pick up for 2 nintendo switches. Had it not been for the confirmation email best buy sent me it would have been done. I changed my password but I am thinking it was done differently. I mean the smart man inside me tells me that why the heck didn't he change my password via login in and the email hmmm. But I canceled the orders and reported it to best buy. Wondering if this shit was done internally.

so I am using unique password generated by last pass for my accounts and slowly updating them. Especially the main ones. I was beta testing last pass so I have been getting the free service sine then. It does have the option to get premium service but my account works as is for everything.

Shits crazy these days.
 
Last edited:
I've only got windows machines, and KeePass fits the bill for me. The DB file can be used by keepassXC if I choose to use it on my phone, so there's a plus there. I store the DB file on my NextCloud server, and it gets synced across all my machine.

The main feature in XC is the auto DB refresh. If I update on one machine and get on another machine with keepass already open, it will automatically refresh. Regular keepass required closing the DB and opening again, and that annoyed me way too much. Plus the plugin always gave me issues.
 
I don't worry about passwords, as I keep a pretty strong password policy on all my accounts (length, different for each account, 2 factor, blah blah blah), but damn if they don't keep leaking other personal data (birthdate and crap like that) that the punks can use to social engineer my accounts without any recourse or expiration date. Might not be now, maybe not tomorrow but shit if I'm going to remember this 2 years or 10 years or some bs amount of time down the road.
 
This kind of thing happens so frequently that soon enough - and I know this is actually more than likely going to possibly happen (figure that one out) - we're going to see a report that the "';--have i been pwned?" website itself is going to be pwned. :D
 
Back
Top