11 replies to this topic

[securitybreach]

Quote

There’s no shortage of data breaches these days, but this one should make you sit up and pay attention. The newly discovered “Collection #1" is the largest public data breach by volume, with 772,904,991 unique emails and 21,222,975 unique passwords exposed.

The breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach. In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases. The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords.

https://gizmodo.com/...21-m-1831833456

[Digerati]

Leads even more credence to the advice to use unique passwords for every account you have.

And don't know about anybody else but I sure would not put my password in that Pwned Passwords checker.

[securitybreach]

Digerati, on 17 January 2019 - 05:38 PM, said:

Leads even more credence to the advice to use unique passwords for every account you have.

And don't know about anybody else but I sure would not put my password in that Pwned Passwords checker.

Agreed

[V.T. Eric Layton]

I checked. Three of my email accounts were on the list. I changed all my passwords. It showed me that my emails were harvested through breaches that had occurred at Tumblr, Dropbox, and Yahoo.

[V.T. Eric Layton]

Krebs On Security

773M Password ‘Megabreach’ is Years Old

[V.T. Eric Layton]

Brian Krebs' reply to comments on the article above:

BrianKrebs
January 17, 2019 at 6:38 pm

Look, everyone gets hacked. It’s why last month I wrote the following:

“Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.”

At least when people pick unique passwords, a site compromise can’t lead to compromise at other accounts. That’s the whole point.

[Digerati]

What I found interesting is when checking with https://haveibeenpwned.com/, all of the 10 listed sites hacked that affected two of my email accounts were from years back. Also, of the 10 sites, I hand only personally opened accounts at 4 of them (DISQUS, MajorGeeks, Linkedin, and Malwarebytes). All associated passwords were long changed. So while the other sites may have had my email addresses, I did not have accounts there and they still didn't have access to any of my important accounts.

That said, I think some people need to go to jail along with very significant fines for those people and the companies they work for. Not the bad guys! No, but the people running those companies and those managing the data at those companies that get hacked.

It is just unfathomable to me that the IT people, the CEOs and CIOs and the security managers at those companies allow such data to be stored anywhere on their systems "in the clear" - that is not encrypted. That's the bigger crime, IMO.

If the company and IT managers understand if they fail to implement even common-sense measures to protect our data/credentials (encrypting usernames and passwords), keeping their software updated in timely fashions***, etc.) they will end up in fail and broke, the vast majority of these breaches would never, could never happen.

*** I note the Equifax breach could have easily been prevented if (1) the patch that fixed the vulnerability that was exploited and released to Equifax months earlier had been installed, the bad guys would have been blocked from gaining access to that data. And (2), if the data was encrypted, even if the bad guys had gained access to it, they would have had to go through the very tough challenge and process to decrypt it. But sadly, the available patch (which the company and IT managers knew about!) was never applied, and all of our sensitive data was stored in the clear. (*&*^^%%$#@ @$^*()) !

[V.T. Eric Layton]

Sadly, Bill, these companies that are negligent, and as a result, complicit in all these security breeches, evidently don't hold security of their own databases in high regard. I agree with you that heads should roll. We cannot prosecute the hackers because most of them are anonymous from other countries, but these tech giants that are remiss in their own security, and by extension OUR security, should be held responsible and made to pay for their failures.

[Digerati]

Yeah, but that likely will not happen until more and more members of Congress have their own identities stolen through these hacks AND are not compromised via a conflict of interest through accepting PAC and lobbyist money/influences. Until business can no longer buy influence, plain old consumers will always get the shaft.

[securitybreach]

Well it turns out that these are not all new: Krebs On Security: 773M Password ‘Megabreach’ is Years Old

[V.T. Eric Layton]

That's correct. Brian Krebs stated that some of these breaches are from 2+ years ago. A breach is a breach, though. Best to change those passwords often.

[securitybreach]

V.T. Eric Layton, on 21 January 2019 - 07:37 AM, said:

That's correct. Brian Krebs stated that some of these breaches are from 2+ years ago. A breach is a breach, though. Best to change those passwords often.

And NEVER re-use a password. Every password should be unique.