SoylentNews is people
SoylentNews
from the there's-lots-more-where-that-came-from dept.
Security maven Brian Krebs, possibly best known for his blog Krebs On Security, recently posted an article that puts a damper on the kerfluffle about a huge e-mail and password breach that has been recently announced: 773M Password 'Megabreach' is Years Old:
My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources."
[...] Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — "Sanixer." So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.
Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his "freshest" offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which [...] total more than 4 terabytes in size, are less than a year old, Sanixer explained.
tl;dr: What you've seen recently mentioned in the press is old hat, and nothing to be too terribly concerned about. On the other hand, there are other collections -- over 5 times larger -- that are even newer. That is something to be concerned about.
What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.
(Score: 1) by ShadowSystems on Saturday January 19 2019, @09:29PM
I downloaded the plain text file of sites that got hacked. I hoped to go through it, find the site(s) I might have registered an account at, & use that to determine just how worried I should be. If it was some site I hadn't been to in a decade, didn't contain any PII, & didn't offer the hackers anything of value about me, then I could ignore that site as the probable registered-and-immediately-dumped-as-worthless source it most likely had been. Now, if my *bank* were one of the sites then the shit would hit the fan & I'd be running around like a chicken with its head cut off.
The list was a confusing mess to my screen reader & made my head hurt trying to parse it. A field with a value of "-RXRWRXRW" took a second to figure out it might pertain to a Read, Write, & Execute status, but why a list of sites would need it was beyond me. A seemingly random number was probably the number of accounts the site had given up, but again it wasn't data I cared about; I don't GAF if it splooged 1 account or billions, I just want to know if one of them was *mine*. Then there was a date stamp that was given as "Jan 01 2019" formatting. That sucks from a sorting POV as it puts April before January & kinda screws up the flow. A YYYY-MM-DD format would auto sort itself into chronological order & make things far easier. Then there was the URL (finally!), followed by an entry like "{HASH NOHASH}" & the name of a text file or database (*.SQL) about which I couldn't figure out at first. In the end the only field I cared about was the actual URL so I could try to find a site that sounded even remotely vaguely microscopicly familiar.
Once I edited the 200+Kb text file down to about 100+KB or so, then I could go through it again to delete all the sites from TLDs I'd never visited, much less made an account at. Czeck? Romania? Russia? Korea? Thailand? Estonia? Spain? I could scrub the list of all of them as inherently unlikely I'd ever visited them *at all*. By the time I'd whittled it down to just domains with TLDs that *might* be possible, the file was down to under 25+Kb. It took my screen reader less than half an hour to read them to me & me to dismiss nearly *all* of them as unlikely. Christian Lesbians For Christ dot com? Ummmm... No. Crickets Singing For World Peace dot co dot UK? Doubt it. Monkey Spankers Anonymous? *Shifty eyed looks left & right* No Comment! *COUGH* Until I'd gone through the whole damned thing & found...
Nothing. Not one. Nada. Zip. Zilch. Not a single site I recognized, not a single one for whom I had a file for listing my registration details, nobody & nowhere I might have created an account with that promptly got hacked.
I know my email is out there, I've only had it since the Dawn Of Time & have put it out on the internet to contact me accordingly, but without a specific site to research "What info did I give them?", it amounted to a whole lot of nothing.
I am *NOT* saying it was worthless, I am *NOT* suggesting to leave your passwords unchanged, I'm only saying that the HIBP emailed letting me know "your email & password got hacked!" couldn't tell me *from where*.
If you tell me my car tires are making a squeaky noise, I've only got four places to check to find the cause; if you tell me "your car is squeaking" without specifying *where* then there's SFA I can do about it. It's not just a needle in a haystack, it's a non-ferrous needle made of laminated hay & there's a very-near-zero chance of me ever finding it.
Ditto with this breach. There may have been gazillions of email+passwords out there, but without having a way for us to find out which one(s) our data came from, how are we supposed to know just how much trouble we're in?
The HIBP site has tools that allow you to search for your email to see if it's among those in the list, but it won't tell you from where. There is a similar tool to check passwords, but you either enter them one at a time & wait or upload them all in a mass dump for HIBP to process & let you know one way or the other. Again, it will tell you if a password is among the ones HIBP knows about, but not nec'ly from where it was acquired. That's fine if you recognize the password & can then link it to a specific account, but if it's just a max length string of alphanumerics & special characters, good luck figuring out the source.
"Just change all your passwords to be safe!" Ummmm... If I have to log in to the ~100 accounts I've got & change all those passwords, by the time I get done it'll be time to do it again next month. =-\
*Sighs, shrugs, smiles wearily*
Screw it. I'll just kill all my accounts except for here, my bank, & TheRegister. Everywhere else can bite my shiny metal butt...