3.2 billion email passwords leaked

UnknownSouljer

[H]F Junkie
Joined
Sep 24, 2001
Messages
9,041
https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/

More than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular hacking forum, aggregating past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.

However, the current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The data is currently archived and put in an encrypted, password-protected container.




Might be good to check and change your passwords in general, but also otherwise a good idea to see whether or not you’re affected. At this point I should hope everyone on the [H] also has 2fa to help prevent a breach even in the event of a leak like this (although we all also know that can be hacked or hijacked as well, but it makes you getting targeted much smaller).
 
Last edited:
I’ve been harping on management to allow me to enforce stricter requirements for passwords for a while. Found most of them in the breach and confirmed their leaked credentials worked in a few places. Needless to say their accounts are now locked. I also suspect I won’t be getting next week off as planned.
 
I think more important than individual password requirements is enforcing a good password generation system like password managers or something like this maybe: https://www.netmux.com/blog/one-time-grid

edit: enforcing is a strong word. Maybe initially teaching/educating them about it. I didn't really think about how you might enforce it.
 
Did the checker, and yup every one of my email accounts got the "oh no" even ones I haven't used in over a decade. I wonder if this used old lists, I'd be curious to see what the password is that's supposed related to my email to actually see if it's been compromised.
 
I’ve been harping on management to allow me to enforce stricter requirements for passwords for a while. Found most of them in the breach and confirmed their leaked credentials worked in a few places. Needless to say their accounts are now locked. I also suspect I won’t be getting next week off as planned.
Follow up:
They have noticed their accounts are locked and understand why I did it. But now they want to take security to 11, I just wanted to enforce password expiry dates and maybe take it from 6 min to 8 min with some special characters and numbers and stuff. But no now they want all that and 2 factor, but half our staff refuse to own cellphones and generally hate tech, so now I’m sourcing RSA key fobs....
 
I wonder if this used old lists, I'd be curious to see what the password is that's supposed related to my email to actually see if it's been compromised.
As per the OP this is a combination of old lists. Basically there are groups taking all the email and password pairs and making massive database of this information from multiple hacks over the past 3 years or so. Which of course means if people are compromised and haven’t changed their info then they’re more likely to be targeted by a massive attack if some hacker wants to get around to it. Considering that banking information and other critical data is also put through email, this could have financial implications if nothing else.

Basically this news post is just a reminder to be on top of your passwords - because we all need reminders to be vigilant.
 
Follow up:
They have noticed their accounts are locked and understand why I did it. But now they want to take security to 11, I just wanted to enforce password expiry dates and maybe take it from 6 min to 8 min with some special characters and numbers and stuff. But no now they want all that and 2 factor, but half our staff refuse to own cellphones and generally hate tech, so now I’m sourcing RSA key fobs....

You were using 6 six character passwords??

Bruh
 
Out of morbid curiosity I put in a fake account password... got a chuckle

But in seriousness though this one is good as it seems to let you know which data breach your email was part of.
https://haveibeenpwned.com/

Apparently of my yahoo throwaways was part of a Myspace breach 12 years ago? :D
I did my personal email and it says 4 breaches. 3 of the pages it mentions I have never even heard of, so ?
 
Firefox / Mozilla has a utility that checks a variety of the "wasipwned" type sites and they're a legit mozilla project - https://monitor.firefox.com

That said , this is a good time to suggest that you should use an open source solution for your passwords and similar data. If you only need a browser or a few other connections, Firefox Lockwise (aka the Firefox built in password, address, credit card and other personal info manager) is solid. If you have more complex needs I suggest one of the following

KeePass - If you want to control the database of data as a file, KeePass is the way to go. There are tons of different clients (many with plug-ins) , from the original https://keepass.info/ or https://keepassxc.org/ for a desktop Windows/Mac/Linux manager, or https://www.keepassdx.com/ for Android. Whatever plugins or clients you use, I'd say stick to open source ones but anything that can read the .kdbx data format will be sufficient.
BitWarden - If you want a cloud based alternative database (similar to Lastpass, Dashlane, 1Password etc) then https://bitwarden.com/ is the way to go. Open clients for all platforms and you can either use their zero knowledge server (free, but $10/year for some extra features for a single user , $40/year for up to 6 family users) or if you want you can host your own server too if you wish!
Aegis Authenticator - In the event you want a secondary HOTP/TOTP generating application, this is one of the best I've found for Android. It even has a backup feature so you don't need to unsync and resync everything when you get a new phone. https://getaegis.app/ . Of course, if you use KeePass or BitWarden you may be able to use their TOTP/HOTP generating features , but this is another option.

Hope it helps!
 
Follow up:
They have noticed their accounts are locked and understand why I did it. But now they want to take security to 11, I just wanted to enforce password expiry dates and maybe take it from 6 min to 8 min with some special characters and numbers and stuff. But no now they want all that and 2 factor, but half our staff refuse to own cellphones and generally hate tech, so now I’m sourcing RSA key fobs....

As long as the interval is at least 1 year, I don't have a problem with password expiries. 90 day password expiries like at my current company are just obnoxious and hurt way more than they help. What's even more ridiculous is 2 FA is enforced and we get automatically logged out of the mobile apps every 30 days or so, and the apps don't always tell us we were logged out so notifications are missed....

Yep, Gmail account leaked. Changing password now.

Problem is that this doesn't tell us when it was breached and with what set of passwords. I generally just rely on Chrome to tell me if passwords I'm using have been compromised. If it's on an account I don't care about, I just leave it alone.
 
You were using 6 six character passwords??

Bruh
They haven’t let me upgrade the password requirements for the last decade. And the person I answer to is turning 67.... fortunately they are being retired in April. But yeah I am forced to submit to the lowest tech users complaint. Last time I increased password difficulty requirements Inwas met my grievance from 2 of the 3 unions and the board demanded I change it back.
 
As long as the interval is at least 1 year, I don't have a problem with password expiries. 90 day password expiries like at my current company are just obnoxious and hurt way more than they help. What's even more ridiculous is 2 FA is enforced and we get automatically logged out of the mobile apps every 30 days or so, and the apps don't always tell us we were logged out so notifications are missed....



Problem is that this doesn't tell us when it was breached and with what set of passwords. I generally just rely on Chrome to tell me if passwords I'm using have been compromised. If it's on an account I don't care about, I just leave it alone.
I am thinking of 120 days, force the password changes at the beginning of each semester.
 
Sites share data, so register on one they can share it with god only knows who.
Never really thought about that. I'm not concerned about them then, as they wouldn't have my password, just my email address.

The other was for Bell Canada, and that breach was well publicized and I replaced my password after that.
 
I am thinking of 120 days, force the password changes at the beginning of each semester.

120 days is still too short IMO. Based on my observations, unless people use password programs, they'll start doing xxxxxxxxxx1, xxxxxxxxxx2, etc. Or they'll have it written down somewhere. This will be especially true if enforcing special characters.
 
I am thinking of 120 days, force the password changes at the beginning of each semester.
14 minimum if no MFA, no or very long expiration with no forced composition rules, ideally.

People just cheat the password changes and increment a number. It's IMO almost useless outside of auditors complaining. Requiring special characters is just annoying and makes buy in more difficult.

That and I ban some extremely common words like... our company name, seasons, local teams and sports. Because that's the first place people will turn to next.

MFA is the proper solution, however.
 
14 minimum if no MFA, no or very long expiration with no forced composition rules, ideally.

People just cheat the password changes and increment a number. It's IMO almost useless outside of auditors complaining. Requiring special characters is just annoying and makes buy in more difficult.

That and I ban some extremely common words like... our company name, seasons, local teams and sports. Because that's the first place people will turn to next.

MFA is the proper solution, however.
I want 12 characters min, 1 special, 1 number, for everybody and I want to enforce MFA on all Admin or Exempt staff. This should keep everybody happy and all Admin/Exempt staff have work assigned cellphones. So MFA becomes easy and then I don’t have to fight the union on anything major.
 
, they'll start doing xxxxxxxxxx1, xxxxxxxxxx2
Windows has been onto that trick for many years. The cool kids put the number at the front. I recommend, though, rotating through the upper-case and the lower-case alphabets, as you get years before you have to come up with a new password.
 
I want 12 characters min, 1 special, 1 number, for everybody and I want to enforce MFA on all Admin or Exempt staff. This should keep everybody happy and all Admin/Exempt staff have work assigned cellphones. So MFA becomes easy and then I don’t have to fight the union on anything major.
My company went Office 365 last year. They required 10 characters, one special, one number. And then they enabled PINs. Great, nice job forcing me to use a password like :L#oE37Sa, and then saying 123456 is OK too.
 
I've given up trying to tell family and friends about good password use.
People never learn. I've seen tons of people get their Facebook accounts "hacked" (or as we really know, their password was likely just guessed) and they still don't learn.

Only until after identity theft becomes an epidemic at the level of 1 in 20, the average schmo likely won't get it. But after it happens to their best friend, their mom, their aunt, whoever, and they see that person's lives ruined - they might take it more seriously.
 
My company went Office 365 last year. They required 10 characters, one special, one number. And then they enabled PINs. Great, nice job forcing me to use a password like :L#oE37Sa, and then saying 123456 is OK too.

Doesn't sound like you were forced to use that password. Diceware a few words and make something more human.

Also PIN is tied to an individual device and is useless without that hardware.
 
https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/

More than 3.2 billion unique pairs of cleartext emails and passwords have just been leaked on a popular hacking forum, aggregating past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.

However, the current breach, known as “Compilation of Many Breaches” (COMB), contains more than double the unique email and password pairs. The data is currently archived and put in an encrypted, password-protected container.




Might be good to check and change your passwords in general, but also otherwise a good idea to see whether or not you’re affected. At this point I should hope everyone on the [H] also has 2fa to help prevent a breach even in the event of a leak like this (although we all also know that can be hacked or hijacked as well, but it makes you getting targeted much smaller).

Well, I just changed the password for my Microsoft and Google accounts to something I have never used before.
 
This article sent me on a quest to begin to better understand Priviledged Access Management (PAM) at an individual and family level. I've always been squeamish about storing logins locally, but it's led to breaking some of the best practices out there. So I set out to learn how password managers work. This video was helpful.



I then quested to understand Lastpass, 1Password, Dashlane, Bitwarden, Keeper, and made an investment...followed by generating random passwords that even I don't know and enabling Multifactor Authentication (MFA) on a number of accounts where it was surprisingly not enabled.
Thanks for the article - took one more giant step forward in my cybersecurity posture.
 
Windows has been onto that trick for many years. The cool kids put the number at the front. I recommend, though, rotating through the upper-case and the lower-case alphabets, as you get years before you have to come up with a new password.
Shhhhhhhhhh!!!
 
Jokes on them, I don't use a password, I just hit the spacebar once! :p
alt key + 254 is a character but it is a blank one so techically it works as a place holder. I used that as a teenager many folders deep to hide my you know what every teenager does my PORN stash finally got tired of 25 folder to get something so I just put a folder marked PORN another one YES another one with a URL link with a folder icon that went to disney.com
 
Well my main email and secondary have not been pwned. The yahoo mail I used for fantasy football like 10 years ago? 3x. I can’t even remember that password..
 
Back
Top