Jump to content


Mother of All Breaches Exposes 773 Million Emails, 21 Million Password


  • Please log in to reply
11 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,203 posts

Posted 17 January 2019 - 05:00 PM

Quote

There’s no shortage of data breaches these days, but this one should make you sit up and pay attention. The newly discovered “Collection #1" is the largest public data breach by volume, with 772,904,991 unique emails and 21,222,975 unique passwords exposed.

The breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach. In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases. The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords.

https://gizmodo.com/...21-m-1831833456
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 251 posts

Posted 17 January 2019 - 05:38 PM

Leads even more credence to the advice to use unique passwords for every account you have.

And don't know about anybody else but I sure would not put my password in that Pwned Passwords checker.
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,203 posts

Posted 17 January 2019 - 05:41 PM

View PostDigerati, on 17 January 2019 - 05:38 PM, said:

Leads even more credence to the advice to use unique passwords for every account you have.

And don't know about anybody else but I sure would not put my password in that Pwned Passwords checker.

Agreed
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,598 posts

Posted 17 January 2019 - 10:13 PM

I checked. Three of my email accounts were on the list. I changed all my passwords. It showed me that my emails were harvested through breaches that had occurred at Tumblr, Dropbox, and Yahoo.
Posted Image

Posted Image

#5 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,598 posts

Posted 17 January 2019 - 10:43 PM

Krebs On Security

773M Password ‘Megabreach’ is Years Old
Posted Image

Posted Image

#6 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,598 posts

Posted 17 January 2019 - 10:47 PM

Brian Krebs' reply to comments on the article above:

BrianKrebs
January 17, 2019 at 6:38 pm

Look, everyone gets hacked. It’s why last month I wrote the following:

“Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.”

At least when people pick unique passwords, a site compromise can’t lead to compromise at other accounts. That’s the whole point.
Posted Image

Posted Image

#7 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 251 posts

Posted 18 January 2019 - 01:04 PM

What I found interesting is when checking with https://haveibeenpwned.com/, all of the 10 listed sites hacked that affected two of my email accounts were from years back. Also, of the 10 sites, I hand only personally opened accounts at 4 of them (DISQUS, MajorGeeks, Linkedin, and Malwarebytes). All associated passwords were long changed. So while the other sites may have had my email addresses, I did not have accounts there and they still didn't have access to any of my important accounts.

That said, I think some people need to go to jail along with very significant fines for those people and the companies they work for. Not the bad guys! No, but the people running those companies and those managing the data at those companies that get hacked.

It is just unfathomable to me that the IT people, the CEOs and CIOs and the security managers at those companies allow such data to be stored anywhere on their systems "in the clear" - that is not encrypted. That's the bigger crime, IMO.

If the company and IT managers understand if they fail to implement even common-sense measures to protect our data/credentials (encrypting usernames and passwords), keeping their software updated in timely fashions***, etc.) they will end up in fail and broke, the vast majority of these breaches would never, could never happen.

*** I note the Equifax breach could have easily been prevented if (1) the patch that fixed the vulnerability that was exploited and released to Equifax months earlier had been installed, the bad guys would have been blocked from gaining access to that data. And (2), if the data was encrypted, even if the bad guys had gained access to it, they would have had to go through the very tough challenge and process to decrypt it. But sadly, the available patch (which the company and IT managers knew about!) was never applied, and all of our sensitive data was stored in the clear. :angry: :angry: (*&*^^%%$#@ :angry2: :angry2: @$^*()) !
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#8 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,598 posts

Posted 18 January 2019 - 05:11 PM

Sadly, Bill, these companies that are negligent, and as a result, complicit in all these security breeches, evidently don't hold security of their own databases in high regard. I agree with you that heads should roll. We cannot prosecute the hackers because most of them are anonymous from other countries, but these tech giants that are remiss in their own security, and by extension OUR security, should be held responsible and made to pay for their failures.
Posted Image

Posted Image

#9 OFFLINE   Digerati

Digerati

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 251 posts

Posted 18 January 2019 - 05:26 PM

Yeah, but that likely will not happen until more and more members of Congress have their own identities stolen through these hacks AND are not compromised via a conflict of interest through accepting PAC and lobbyist money/influences. Until business can no longer buy influence, plain old consumers will always get the shaft. :(
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#10 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,203 posts

Posted 20 January 2019 - 11:25 PM

Well it turns out that these are not all new: Krebs On Security: 773M Password ‘Megabreach’ is Years Old


Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#11 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,598 posts

Posted 21 January 2019 - 07:37 AM

That's correct. Brian Krebs stated that some of these breaches are from 2+ years ago. A breach is a breach, though. Best to change those passwords often. :)
Posted Image

Posted Image

#12 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,203 posts

Posted 21 January 2019 - 07:57 AM

View PostV.T. Eric Layton, on 21 January 2019 - 07:37 AM, said:

That's correct. Brian Krebs stated that some of these breaches are from 2+ years ago. A breach is a breach, though. Best to change those passwords often. :)

And NEVER re-use a password. Every password should be unique.
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users