SoylentNews is people
SoylentNews
from the there's-lots-more-where-that-came-from dept.
Security maven Brian Krebs, possibly best known for his blog Krebs On Security, recently posted an article that puts a damper on the kerfluffle about a huge e-mail and password breach that has been recently announced: 773M Password 'Megabreach' is Years Old:
My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources."
[...] Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — "Sanixer." So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.
Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his "freshest" offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which [...] total more than 4 terabytes in size, are less than a year old, Sanixer explained.
tl;dr: What you've seen recently mentioned in the press is old hat, and nothing to be too terribly concerned about. On the other hand, there are other collections -- over 5 times larger -- that are even newer. That is something to be concerned about.
What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.
(Score: 2) by SomeGuy on Saturday January 19 2019, @07:53PM (1 child)
And don't forget to CHANGE your passwords every now and then. Otherwise it doesn't matter how old these password dumps are.
(Score: 2) by AthanasiusKircher on Sunday January 20 2019, @02:31AM
Not saying this is bad advice, but it's overrated compared to everything you quoted. Sites that force password changes every so often usually end up with users just iterating or doing some other stupid thing that a determined hacker could figure out.
The big problem with password breaches often isn't just the.individual site. It's the fact that when someone has your username and password, and you tend to reuse these -- suddenly someone can get access to lots of your accounts, steal your identity, do all sorts of bad stuff.
If you never reuse passwords (using a password manager is easy -- and makes it easy to use very long arbitrary passwords everywhere), and if you enable two-factor authentication for any site you really need to be extra secure, the chances that a single breach of an old password will result in significant damage is exceedingly low.
It's password reuse and lack of two-factor authentication where it matters that mostly makes old passwords dangerous.
(Again, I'm not saying changing passwords periodically is useless -- it's just something that people tend to worry about more than things that could make a bigger difference with less effort.)