New Data Dump Contains Billions of Email and Password Pairs

AlphaAtlas

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Following the leak of 773 million records from what security researchers call "Collection #1" earlier this month, experts are now saying that Collections #2 - #5" contain even more information. The Hasso Plattner Institute says that "around 2.2 billion e-mail addresses and the associated passwords circulate through Collections # 1 to # 5," and Naked Security claims the newly uncovered collections represent about 845GB of data covering 25 billion records. Needless to say, if you happen to have an email account, checking to see if other services tied to that account have been compromised with identity checking websites like Have I Been Pwned or HPI's tool is probably a good idea. It's quick and painless, and I just found several compromised accounts across 2 of my email addresses, which is a testament to why you should never re-use passwords. Thanks to Schtask for the tip.

The obvious measure of these breaches is how much new data they represent, that which has not already been added to databases such as those amassed by HIBP or HPI. Have I Been Pwned? estimated the unique data in Collection #1 at around 140 million email addresses and at least 11 million unique passwords. HPI, meanwhile, estimates the number of new credentials at 750 million (it isn’t yet clear how many new passwords this includes)... When faced with these sorts of numbers, it’s tempting to shrug one’s shoulders and move on – most of these data breaches are old, so what harm might they be doing now? Initially, breached credentials are probably traded to give attackers access to the account on the service from which they were stolen. After that, they are quickly traded again to use as fuel for the epidemic of credential stuffing attacks. Credential stuffing thrives on our habit of reusing passwords - credentials for one service will often give a criminal access to other websites too. Remember that while plaintext passwords are pay-dirt for criminals, usernames and email addresses are also valuable because they give them something to aim at when trying a brute-force attack.
 
When I looked into collection #1, most of the stuff in there was REALLY old. I had changed my passwords several times since that data was stolen.

These days I use keepass and randomly generate a different password for every account. Very unlikely they will be brute forced, and if one gets stolen due to a site exploit, I only have one account compromised.
 
AlphaAtlas said:
Needless to say, if you happen to have an email account, checking to see if other services tied to that account have been compromised with identity checking websites like Have I Been Pwned or HPI's tool is probably a good idea.
Click to expand...

Here is something I figured I'd ask. Maybe I am just using Have I been Pwned wrong, but that site seems near useless to me. There is so little data on it, that I can't tell in many cases how old a breach is, (impacting very old passwords or newer ones) and in the case of these collections, even what sites they were in regards to, just that my email address was included.

I mean, for the individual breaches it is fairly easy to understand what happened, but for these big collections it would be nice if they included the information from the source site and date collected columns.

How do you guys make effective use of Have I Been Pwned? I find the data too vague to make any decisions off of.

Some might argue that you should change your password every time it shows up at all, just in case, but do you know how annoying it is to manually have to type in a 64 character randomized password consisting of letters, numbers and special characters on the mobile keyboard of multiple devices?
 
I like to show the 'head in the sand' folks how web browsers have devolved into highly proficient spywares. The big shocker is when I show them how fast I can grab all their passwords. The latest chrome wants access to your camera, microphone, bluetooth, usb drives, devices, payment methods, addresses and now google is talking about the ability to edit your computer files, truly a hackers paradise. firefox is in a downward spiral as well. I keep waiting for the table flipping moment but it never seems to come.

I try to set people up with keepass but they're too lazy to use it.
 
Zarathustra[H] said:
Some might argue that you should change your password every time it shows up at all, just in case, but do you know how annoying it is to manually have to type in a 64 character randomized password consisting of letters, numbers and special characters on the mobile keyboard of multiple devices?
Click to expand...

Keepass with the browser plugin (Kee on Firefox).
 
Bankie said:
Keepass with the browser plugin (Kee on Firefox).
Click to expand...

That doesn't help you with mobile devices.

Change your Google password, generating a new random keepasd password, and now you have to manually type it in on your other devices before you can even get to the keepasd app
 
Why have Collections #1-5 only come to light now?
"Either because the data has already been exploited and is now so old that it no longer has much commercial value (Collection #1 was offered for sale at $45), or because so many criminals have access to it that’s effectively become an open source resource."

I would stay vigilant, but most likely old data cobbled together. :meh:
 
I changed my password in December, but I did it again today for the hell of it. My email address is in the hacker database and will stay there forever, since I don't feel like starting over with a new email address.

I'm not sure what the security solution is, but two things need to happen: First, we need to stop allowing 'associate sites' to accept logins with our email credentials, and second, we need to come up with a way to take humans out of the equation. Everyone in IT has a security story, and mine is working on an accountant's computer and finding an Excel spreadsheet named 'passwords.xls' that contained about 30 sensitive accounts (including the university database). When I took it to my bosses boss, the Director of IT, he took a pass, and said we weren't going to do anything or mention anything because of departmental politics.
 
Here is something I figured I'd ask. Maybe I am just using Have I been Pwned wrong, but that site seems near useless to me. There is so little data on it, that I can't tell in many cases how old a breach is, (impacting very old passwords or newer ones) and in the case of these collections, even what sites they were in regards to, just that my email address was included.
Click to expand...

I feel the same way about both. No real information for me to verify.
 
So here's a question for you: Why are we relying on websites to store credentials, which are often different for the same user across different websites? Why not just have OS's handle login information, so there would only be one or two places that would need to be secure?
 
gamerk2 said:
So here's a question for you: Why are we relying on websites to store credentials, which are often different for the same user across different websites? Why not just have OS's handle login information, so there would only be one or two places that would need to be secure?
Click to expand...

These days people have more than 1 device and more than one OS being that most now use linux for the mobile devices and likely windows for their PC (if they have one). The websites like lastpass are a way to facilitate the changes between devices. Also you are not always on your own computer and need access to your saved passwords.
 
drescherjm said:
These days people have more than 1 device and more than one OS being that most now use linux for the mobile devices and likely windows for their PC (if they have one). The websites like lastpass are a way to facilitate the changes between devices. Also you are not always on your own computer and need access to your saved passwords.
Click to expand...

Ok, so what, maybe three our four OS's? Compared to how many websites each are storing your credentials?

OS's are a service now; passwords should be managed OS side.
 
You must log in or register to reply here.
Back
Top