Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday January 19 2019, @07:42PM   Printer-friendly
from the there's-lots-more-where-that-came-from dept.

Security maven Brian Krebs, possibly best known for his blog Krebs On Security, recently posted an article that puts a damper on the kerfluffle about a huge e-mail and password breach that has been recently announced: 773M Password 'Megabreach' is Years Old:

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources."

[...] Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — "Sanixer." So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his "freshest" offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which [...] total more than 4 terabytes in size, are less than a year old, Sanixer explained.

tl;dr: What you've seen recently mentioned in the press is old hat, and nothing to be too terribly concerned about. On the other hand, there are other collections -- over 5 times larger -- that are even newer. That is something to be concerned about.

What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by darkfeline on Sunday January 20 2019, @12:53PM

    by darkfeline (1030) on Sunday January 20 2019, @12:53PM (#789015) Homepage

    You can check all of your passwords through the HIBP API. You are using a password manager, right? Just make a temporary dump and run them through a script.

    Here's such a checker written in Go: https://github.com/darkfeline/pwnck [github.com]

    (You can fetch and build it with "go get go.felesatra.moe/pwnck")

    The API accepts the first 5 characters of your password SHA1 hash, so you don't need to worry about sending your actual passwords to some API. This is bound to be more convenient than downloading a few GBs/TBs of the latest password hash dump every few months.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2