773 Million Records from Massive Data Breach Uploaded to Have I Been Pwned

Discussion in 'HardForum Tech News' started by cageymaru, Jan 17, 2019.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,814
    Joined:
    Apr 10, 2003
    Troy Hunt is a Microsoft Regional Director and is the owner and creator of Have I Been Owned (HIBP). Today he alerted the security community to a massive 87GB data breach that the hacker community calls "Collection #1." It contains 773 million unique email addresses, 1.1 billion unique combinations of email addresses and passwords, and over 21 million unique passwords. The data dump is from a MEGA collection that a hacker community forum used to upload stolen credentials to as they shared their latest escapades. Since "Collection #1" has so many individual hackers associated with it, verifying all of the data breaches at individual companies is extremely time consuming. Curious consumers can use HIBP to check to see if their email address is part of the collection and they can use Pwned Passwords to see if their password has been compromised.

    What's the Risk If My Data Is in There? I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.
     
  2. exlink

    exlink [H]ardness Supreme

    Messages:
    4,383
    Joined:
    Dec 16, 2006
    Dang that sucks for people who utilize the same log-in information across sites.

    I've been using my own custom algorithm for developing strong, unique and memorable passwords for sites for years now. You're screwed if someone discovers your algorithm but that isn't likely.

    Also, if a site offers 2FA just use it for crying out loud.
     
    Last edited: Jan 17, 2019
    boocake, CrimsonKnight13 and Armenius like this.
  3. SPARTAN VI

    SPARTAN VI [H]ardness Supreme

    Messages:
    7,254
    Joined:
    Jun 12, 2004
    My coworker just got hit on multiple fronts. A "hacker" tried to access and change his bank, Instagram, and other passwords associated with pwn3d credentials. Needless to say: he learned the hard way not to use the same user ID/password combo everywhere.

    Happened to me with the Gawker breach nearly 10 years ago, so I've been using unique passwords for every website since. I still use a common base password, but integrate a clue about the website in the password (e.g. the color of the logo, website name shifted upwards). I don't use a manager, I can generally use this system across the board.
     
    Last edited: Jan 17, 2019
    exlink likes this.
  4. Space_Ranger

    Space_Ranger Gawd

    Messages:
    630
    Joined:
    Jul 13, 2007
    I'm so glad I started using KeePass. Great little program to help fight this kind of crap.
     
    Cerulean, DocNo and AlphaQup like this.
  5. sleepeeg3

    sleepeeg3 [H]ardness Supreme

    Messages:
    4,857
    Joined:
    Mar 4, 2004
    https://haveibeenpwned.com/
    Pwned.

    This is all kind of useless, because I don't know which password(s) were pwned and inputting all of my passwords into that site would be freely giving them over to an unknown entity - why would I do that?
     
    Last edited: Jan 17, 2019
  6. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    I use 1Password and am trying to teach my family members to use it. My wife had the same password - to make it worse, it was not even close to a strong password. I typed it in the Pwned database - it came up over 300k times.
    I tried one of my old passwords I used in a few places - it came up 3 since it was relatively strong. I'm certain it was exposed in a breach.
    It took some time, but each one of my accounts is using a random password. My challenge questions (favorite color, school mascot, etc) are also treated as passwords.
    If I ever lose access to my password vault, I'm screwed I guess.
     
    DocNo likes this.
  7. meltdowner

    meltdowner [H]Lite

    Messages:
    96
    Joined:
    Jun 20, 2018
    Does anyone have a link to the data?
     
  8. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009

    Same here, but I'm using keepassXC as that fork is still in active development, where regular keepass has tapered off. Browser plugins work MUCH better with XC.

    I also went the keepassxc route as that's the only password software that keeps everything on a local DB. I do not trust storing all my passwords on some other companies SAAS platform, and if their service goes down you're screwed. I have a nextcloud server at home that I use to store my DB file and sync between all my devices. Works great, and if my nextcloud server goes down, I still have a sync'd copy locally.
     
  9. AltTabbins

    AltTabbins [H]ard as it Gets

    Messages:
    19,180
    Joined:
    Jul 29, 2005
    Some new sources from that list that you might have had an account on -

    Malwarebytes
    VBulliten
    Plex.tv
    Daemon-tools
     
  10. The Mad Atheist

    The Mad Atheist Gawd

    Messages:
    928
    Joined:
    Mar 9, 2018
    Looks like my email was leaked on 8 sites, luckily I use different PWs.

    Same, saw the PW site and said F that.
     
  11. Lizard Testes

    Lizard Testes Gawd

    Messages:
    524
    Joined:
    Dec 21, 2016
    Why do you ask?
     
  12. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,814
    Joined:
    Apr 10, 2003
    According to the article it was removed from MEGA.
     
  13. scojer

    scojer 2[H]4U

    Messages:
    4,053
    Joined:
    Jun 13, 2009
    I thought about using it from a different system that I have ABSOLUTELY no accounts on. But, I don't have access to any.
     
  14. NickJames

    NickJames [H]ardness Supreme

    Messages:
    6,617
    Joined:
    Apr 28, 2009
    The site only cross checks between what they have on file and what you inputted, there's no other saving being done. You can also download the entire leaked pw list yourself if you scroll down.
     
  15. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,694
    Joined:
    Jan 14, 2007
    Well two of my "yahoo related" email accounts were on that list. Wouldn't surprise me if the yehoo entities (AT&T) go hacked and are dragging their feet "doing an investigation". Of course I use those email addresses primarily for ... well sites like this, that are 'unimportant' so who knows if it was site or email that is hacked, but being as my email passwords don't show up as being pwned I'm guessing some random shit, like I see one email related to "ArmorGames" like seriously from who knows when. So fuck if I care about that. Both are connected to "Collection #1" though, so who knows if this is just reusing old information to make a bigger list or if this is all new information.
     
  16. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    1Password user here. Finally got my parents to use and they are now working on their friends. Sometimes they do listen and it's amazing :)

    Anyone not using a password manager or some strategy to avoid reusing passwords is just asking for it.
     
    steakman1971 likes this.
  17. exlink

    exlink [H]ardness Supreme

    Messages:
    4,383
    Joined:
    Dec 16, 2006
    giphy.gif
     
    mikeo and tetris42 like this.
  18. mnewxcv

    mnewxcv [H]ardness Supreme

    Messages:
    6,470
    Joined:
    Mar 4, 2007
    You should always try to use a capital and a number in your password.

    Password1
     
    Armenius and mikeo like this.
  19. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,694
    Joined:
    Jan 14, 2007
    Wouldn't surprise me with all this "weak" security out there by companies who apparently do a piss poor job of encrypting things like... passwords, and the call for 2 step verification or a phone number to authenticate these companies are just finding new ways to mine data from you.
     
  20. raz-0

    raz-0 [H]ardness Supreme

    Messages:
    4,540
    Joined:
    Mar 9, 2003
    I used to this HIBP was interesting and useful. Now it's only real use is maybe convincing someone their their password and their habits of sharing it is dangerous. Without churning email addresses with every set of credentials, it gives me no clue about what might have been compromised. Is it my retired password from when adobe got hacked triggering it, or something I use now? Using a password manager and unique passwords these days, verifying them using their password checking service would be prohibitive if I even felt comfortable shoving my password for service X trhough a web from run by service Y and of unknown security status.
     
  21. Rahh

    Rahh [H]ard|Gawd

    Messages:
    1,607
    Joined:
    Jan 14, 2005
    Yahoo is owned by Verizon.
     
  22. velusip

    velusip [H]ard|Gawd

    Messages:
    1,577
    Joined:
    Jan 24, 2005
    https://haveibeenpwned.com/Passwords

    There are torrents to the "new" dataset with only hashes. You just need to grep for an SHA-1 of an input password to confirm if it's there. The old dataset is hashes + passwords which, while entertaining, is no more useful.

    Hunter2
     
  23. LMT MFA

    LMT MFA Limp Gawd

    Messages:
    237
    Joined:
    Jun 11, 2014
    Good luck, it's 87GB.
     
  24. iamjanco

    iamjanco Limp Gawd

    Messages:
    441
    Joined:
    Jul 8, 2016
    One of my email addresses was subject to exposure a number of times and is an older one that I've been proactively winding down use of:

    2019-01-17_14-56-23.jpg

    That said, I've currently got almost 400 differing sets of credentials (stored in an IronKey thumbdrive) and never use the same password twice, and always ensure the use of complex passwords. I've also long since closed a majority of the accounts I don't use anymore.

    Maybe not 100% foolproof, but it's better than not doing anything and hoping for the best.
     
    Last edited: Jan 17, 2019
    DocNo likes this.
  25. chaos4u

    chaos4u Limp Gawd

    Messages:
    347
    Joined:
    Dec 1, 2004
    The password situation has become so burdensome for people it is ridiculous. i loathe having to ask someone for their password , they then go and grab a plethora of papers and books often with several incarnations of credentials and one by one we go through them until they all fail and we end up having to change the password ... again.

    while i love key pass and password spread sheets. they scare the hell out of me knowing how reliable people back up their data. combined with thumb drive reliability and the "sales man backup" (its called a back up drive so if you MOVE every thing over to it, its backed up !!) over reliance on those techs scare the hell out of me.

    The personal algorithm for creating a password is the best thing in my mind. but getting people to understand that has been extremely difficult.

    and while 2fa is great its just another gate to lock you out of your account when you need it most especially when the 2fa device is unavailable for some reason.

    what really irritates me is that in most of these cases the actual owner of the account is jumping through more hoops trying to gain access to their accounts than the hackers.

    unfortunately it seems like there is little hope in this field. i had read somewhere that several companies had solutions but they have yet to materialize. and even so i still feel they will always be flawed by the one principal that can not be undone and that is the end user. the bane of personal computing ...
     
  26. potency

    potency Gawd

    Messages:
    848
    Joined:
    Dec 1, 2010
    I call BS on that website. It said my email address was compromised on Disqus as part of a 2012 data breach, but I didn't register until the end of 2014. It looks like a slimy way to get people to signup for 1Password.com.
     
  27. Kranium

    Kranium Limp Gawd

    Messages:
    432
    Joined:
    May 27, 2011
    I've had the same email account since 1997, I'm not surprised I'm on the list. I guess changing passwords every....5 years or so is good enough, right? :p
     
  28. Deezus

    Deezus Gawd

    Messages:
    859
    Joined:
    Jan 16, 2001
    Email address was compromised 28 times. I'd expect that since I've had it since I signed up for Gmail as a beta tester. Password is good though, think having it be 16 characters long helps.
     
  29. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    I was bored this past weekend and spent a little time in my password manager (see, told you I was bored). Between my accounts and my family, we have about 500 entries! The majority are mine - lots of the accounts haven't been used by me in ages. I don't even remember some of them.
    Even if I take the time to close some of these out, do I think that the companies/sites are removing my data? Doubtful. It makes me hesitant to open any new accounts. It makes your thumbprint that much bigger.
     
  30. Master_shake_

    Master_shake_ [H]ardForum Junkie

    Messages:
    9,406
    Joined:
    Apr 9, 2012
    same, i've be pwned 3 times but have no idea how or why.
     
  31. M76

    M76 [H]ardForum Junkie

    Messages:
    9,463
    Joined:
    Jun 12, 2012
    It actually lists the hows and whys. Basically if you had an account on a service with that email that was ever compromised it will list you as pwned.

    My problem is that it doesn't show which password was compromised. I use dozens and I don't want to go around changing all of them everywhere because one of my throw-away passwords was hit.
     
  32. SticKx911

    SticKx911 2[H]4U

    Messages:
    2,199
    Joined:
    Mar 14, 2004
    I change these passwords to nonsense garbage that I’d never remember. That way if they do leak...it’s useless.
     
  33. tordogs

    tordogs Limp Gawd

    Messages:
    489
    Joined:
    Mar 25, 2010
    Was something hacked yet again?
     
  34. Space_Ranger

    Space_Ranger Gawd

    Messages:
    630
    Joined:
    Jul 13, 2007
    I've only got windows machines, and KeePass fits the bill for me. The DB file can be used by keepassXC if I choose to use it on my phone, so there's a plus there. I store the DB file on my NextCloud server, and it gets synced across all my machine.
     
  35. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,468
    Joined:
    Jan 21, 2005
    what sucks is I'm apparently in this list, but I have no idea what PW it's for and checking all of them would take me hours. I guess I'll look at financials/bill PWs as well as the ones for my email accounts...hopefully that's enough.
     
  36. Moogle Stiltzkin

    Moogle Stiltzkin Gawd

    Messages:
    814
    Joined:
    Nov 11, 2004
    the only sane way to keep unique strong passwords for every site you visit etc... is to use something like keepass to encrypt them all and generate on the fly, saved on your own local storage. then you only need a single master password to remember. easy. and it's free....

    this hibp, you'd have to use 1password (there is a free trial) load your database, then run the hibp module, change those passwords at the sites, then delete 1password when you done, also delete trash (or continue using it if you want to).

    other than 2fa, there are newer standards like U2F and FIDO2


    https://www.yubico.com/works-with-yubikey/catalog/keepass/
     
    Last edited: Jan 17, 2019
  37. NKD

    NKD [H]ardness Supreme

    Messages:
    7,715
    Joined:
    Aug 26, 2007
    well as I read this just today. Someone from florida by the name of Lazaro Vega Rodriiguez, got a hold of my best buy account and did 2 instore pick up for 2 nintendo switches. Had it not been for the confirmation email best buy sent me it would have been done. I changed my password but I am thinking it was done differently. I mean the smart man inside me tells me that why the heck didn't he change my password via login in and the email hmmm. But I canceled the orders and reported it to best buy. Wondering if this shit was done internally.

    so I am using unique password generated by last pass for my accounts and slowly updating them. Especially the main ones. I was beta testing last pass so I have been getting the free service sine then. It does have the option to get premium service but my account works as is for everything.

    Shits crazy these days.
     
    Last edited: Jan 17, 2019
  38. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009
    The main feature in XC is the auto DB refresh. If I update on one machine and get on another machine with keepass already open, it will automatically refresh. Regular keepass required closing the DB and opening again, and that annoyed me way too much. Plus the plugin always gave me issues.
     
    Space_Ranger likes this.
  39. dvsman

    dvsman 2[H]4U

    Messages:
    2,775
    Joined:
    Dec 2, 2009
    I don't worry about passwords, as I keep a pretty strong password policy on all my accounts (length, different for each account, 2 factor, blah blah blah), but damn if they don't keep leaking other personal data (birthdate and crap like that) that the punks can use to social engineer my accounts without any recourse or expiration date. Might not be now, maybe not tomorrow but shit if I'm going to remember this 2 years or 10 years or some bs amount of time down the road.
     
  40. Tiberian

    Tiberian DILLIGAFuck

    Messages:
    5,725
    Joined:
    Feb 12, 2012
    This kind of thing happens so frequently that soon enough - and I know this is actually more than likely going to possibly happen (figure that one out) - we're going to see a report that the "';--have i been pwned?" website itself is going to be pwned. :D