10 Million Stolen Passwords Were Just Released

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
A security researcher and consultant has posted 10M stolen passwords that he took from torrents on the Internet. The researcher has made it simple to go to another website and check to see if one or more of the leaked passwords may be yours. Give it a look. :cool:

Burnett didn’t steal the passwords in question, of course, but they’re now easily accessible to anyone and everyone — here’s how you can quickly and easily find out if you are affected.
Click to expand...
 
Site is being hammered. My searches are taking well over a minute, haha.
 
The raw file was only 80mb, just go look it up. I don't get the big deal about this thing, its not even that big
 
So some site wants you to enter your password to see if it was stolen? Yeah I'll get right on that.
 
There's a torrent you can download that contains a text file of all the username and password.

I actually found my Steam forum username and an old password with it:eek:
 
Skillz said:
So some site wants you to enter your password to see if it was stolen? Yeah I'll get right on that.
Click to expand...

Exactly what I was thinking, however you dont need to enter your full password. Entering half of it would probably find it, assuming it wasnt something common which it shouldnt be of course. Also entering a username only could let you know if you're on the list. I wouldnt recommend entering your full password either.
 
Awww so disappointed it didn't simply have a dialog box of "insert your username and password to a site you use to see if it's been stolen"
 
the site suggests only putting the first 4 characters of your pw and doing a search. Not the whole pw.

It seems a trifle overloaded right now for some reason.
 
I just downloaded the torrent and ctrl+F'd the file in Notepad++. None of the various names and passwords I use were listed. Yay!

Seems as though some of these credentials were stolen from porn and dating sites, judging from the user names. Scroll down to the "hot" section.
 
No shit sherlock. You don't have a capital letter in that password!
 
My usernames I use for common sites and stuff is not listed, yay.....

However, Freaky is used by everyone for everything, sheesh.
 
i have one throwaway email account that i dont use for anything serious or legitimate, that showed up.



ADOBE

Adobe: The big one. In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames
 
Most of these just seem to be useless forum log-ins. They would be far more useful if they included e-mail addresses. I was hoping to get into some Facebook accounts.
 
The thing to take away from looking at these compromised passwords is most only contain alpha and numeric characters. Considering password strength and security is determined by complexity and length anyone use high ASCII characters 128-255 in their password to increase permutations. High ASCII characters usually requires entering with ALT + decimal value since there isn't a corresponding keyboard key.

So, a three character password...

with numeric only has 10^3 = 1000 permutations

with lower case alpha only has 26^3 = 17576 permutations

with lower case alpha plus numeric (26+10)^3 or 36^3 permutations = 46656 permutations

with lower and upper case alpha plus numeric (26+26+10)^3 or 62^3 = 238328 permutations

with lower and upper case alpha plus numeric plus symbols (26+26+10+32)^3 or 94^3 = 830584 permutations

with high ASCII characters 256^3 = 16777216 permutations

twelve high ASCII characters 256^12 = 79228162514264337593543950336 permutations

But reality is a lot of sites have such restrictive password systems that make it weak.
 
During security audits I've noticed a lot of patterns. Things like:
  • First char is uppercase
  • Last char is special or a number.
  • Where a number and special are required the last 2 are usually number-special. I. "Password1!"

Using oclhashcat we can usually break 75%+ of passwords within 24 hours. With about 40% done within an hour. It's actually quite terrifying.
 
canna said:
During security audits I've noticed a lot of patterns. Things like:
  • First char is uppercase
  • Last char is special or a number.
  • Where a number and special are required the last 2 are usually number-special. I. "Password1!"

Using oclhashcat we can usually break 75%+ of passwords within 24 hours. With about 40% done within an hour. It's actually quite terrifying.
Click to expand...

How many permutations do you go through to get the password?

I don't know I find it hard to blame the user on this considering everything has a password nowadays, so do you use the same password everywhere? How are you supposed to have something easy to remember? It gets a bit crazy.
 
Oh, OK..........So I verify that my password is stolen and provide the crook with my credentials to boot!
Genius!
 
You must log in or register to reply here.
Back
Top