Reuters is reporting: Exclusive: Big data breaches found at major email services - expert:
Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security.
[...] Holden was previously instrumental in uncovering some of the world's biggest known data breaches, affecting tens of millions of users at Adobe Systems (ADBE.O), JPMorgan (JPM.N) and Target (TGT.N) and exposing them to subsequent cyber crimes.
The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totalling 1.17 billion records.
After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers.
"This information is potent. It is floating around in the underground and this person has shown he's willing to give the data away to people who are nice to him," said Holden, the former chief security officer at U.S. brokerage R.W. Baird. "These credentials can be abused multiple times," he said.
[...] Yahoo Mail credentials numbered 40 million, or 15 percent of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12 percent, were Microsoft Hotmail accounts and 9 percent, or nearly 24 million, were Gmail, according to Holden.
Not only have I changed my passwords, but am encouraging family/friends to do the same -- it's a lot easier to help them BEFORE their e-mail account gets pwned.
(Score: 0) by Anonymous Coward on Friday May 06 2016, @08:25AM
I have a safe password (full paragraph). tell me again how I could have ended up in this database if I never actually misused my credentials, and only then advise me to change my password. I already have enough idiotic forced password updates by various people.
And yes, it is idiotic to force me to change my password every 6 months, if it's a good password (full sentence with various replacements of letters with weird symbols), because you're forcing me to write it down.
(Score: 3, Insightful) by RamiK on Friday May 06 2016, @08:52AM
Huge memorized passwords are a house of cards. Since it's likely you're using that password with other services, all it takes is one hacked service and your password is revealed.
If you insist on a single password, look at pgp or keepass to encrypt a password db. It's still a single point of failure, but at least you hold the keys.
compiling...
(Score: 0) by Anonymous Coward on Friday May 06 2016, @10:39AM
what I do in practice is I have an encrypted partition on my laptop, for which I have a strong password that I've been using for ... 5 or 6 years I think. and in that encrypted partition I have plain text files with passwords.
the only bad scenario that I can see is losing the laptop with the screen unlocked. (or installing something myself that goes through all my files, but I fail to see how I could be that dumb).
(Score: 2) by isostatic on Friday May 06 2016, @11:52AM
Or a zero day vulnerability in Firefox (which you don't run in a container/chroot/vm, and has read access to your file system.
(Score: 0) by Anonymous Coward on Friday May 06 2016, @12:53PM
While true and a valid attack vector, this particular attack would require a human to go through the data slurped up by the malware in order to figure out which data is what. You are not that special of a snowflake to warrant that investment so the attacker will just go for the easier pickings.
That being said, if you call that file 'passwords.txt', then... well yeah...
(Score: 2) by isostatic on Friday May 06 2016, @08:08PM
I agree with your point, and I do something very similar. If someone wants to get me, they will, regardless of any action I make. I only need to run from the lion faster than the other guy.
(Score: 2) by legont on Friday May 06 2016, @10:41PM
KeePass [keepass.info] is good and better than plain text on an encrypted drive but I wrote one for myself that actually generates passwords from a master key instead of keeping them. It adds some obscurity.
I fully realise I can be hacked, but very personal attack would be required.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by frojack on Saturday May 07 2016, @01:24AM
It's still a single point of failure, but at least you hold the keys.
Two Factor! Just about every big site offers it nowdays, and most of them do it right-ish.
No, you are mistaken. I've always had this sig.
(Score: 2) by el_oscuro on Friday May 06 2016, @11:45PM
Obligatory xkcd [xkcd.com]
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by butthurt on Saturday May 07 2016, @12:20AM
Even if one uses unique passwords, it's possible to mistakenly provide the password for one service when attempting to log into another:
-- http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3 [businessinsider.com]
(Score: 2) by geb on Friday May 06 2016, @09:22AM
There's no indication that some master hacker has stolen password data from all these services. It looks like somebody has just sent their botnet to spend a few weeks comparing lists of email addresses against lists of common passwords.
My passwords for important services are not going to be trivially guessable, and I don't share passwords between important services, so why should I care about this?
I guess it's possible that this really is a massive, scary, simultaneous leak of user data from every major email provider at once, but I very much doubt it.
(Score: 2) by devlux on Friday May 06 2016, @09:33AM
Possible root cause found...
https://xkcd.com/908/ [xkcd.com]
(Score: 1, Funny) by Anonymous Coward on Friday May 06 2016, @10:23AM
Huh. I was sure you were linking to this one: https://www.xkcd.com/792/ [xkcd.com]
(Score: 3, Funny) by Farkus888 on Friday May 06 2016, @10:36AM
I thought it might be this one https://xkcd.com/936/ [xkcd.com]
Also I didn't want to feel left out.
(Score: 0) by Anonymous Coward on Friday May 06 2016, @12:10PM
I think xkcd may be mistaken on how long it would take to crack a password with 4 words stuck together, *if* you know that's the scheme being used.
I'm not a mathematician, but bear with me.
Let's assume we consider only the most common 30,000 words in the English language. Imagine the xkcd password (correcthorsebatterystaple) now as a 4 digit password in base 30,000 instead of base 26 (or whatever number of characters are normally valid for a password). Calculate the number of combinations for each and compare.
(Score: 0) by Anonymous Coward on Friday May 06 2016, @12:57PM
8.1 * 10^17 is still a lot
(Score: 0) by Anonymous Coward on Friday May 06 2016, @01:25PM
The correct-horse-battery-staple xkcd assumes 11 bits per word, or only 2^11 ~ around 2000 words dictionary. This gives a total pool of 2^44 ~ 1.8 x 10^13 combinations, which at assumed 1000 guesses/sec gives the stated ~550 years for trying all password combinations.
If you use a password made up of totally random characters, adding up lower case (26), upper case (26), numbers (10) and a few special character (let's make the total a round 70), by my calculation for an 8 character password you get about 5.8 x 10^14 combinations. The problem is that you won't remember that, you'll have to write it down, which is... not a good security practice. Of course, if you limit yourself to one or more of common patterns people use to create passwords they have a chance of remembering (as the xkcd in question does), you get a number many, many orders of magnitude smaller (in xkcd "troubador" example, ~2.7 x 10^8).
The cracking timescale probably seems so wrong to you because of a guessing speed of only 1000 guesses/sec, when you often hear about GPU cracking software calculating hundreds of billions or so of password hashes per second. This part depends on the security practices of the software in question. If your password hashing algorithm takes, say, 1/10 of a second to calculate, no matter how much hardware you throw at it, it will take too long to crack to be useful. Let's say you have a thousand GPUs with a thousand cores each, at 0.1 sec for hashing: that's about 100,000 guesses/sec, and you still get five and a half years with the correct horse.
On the other hand, if you can calculate a hash in a few nanoseconds, your password will have to be long indeed to be even marginally secure. Just running the passwords through a SHA-256 once is not really enough :)
(Score: 2) by devlux on Friday May 06 2016, @03:59PM
In otherwords, it needs salt :D
(Score: 2) by Scruffy Beard 2 on Friday May 06 2016, @04:19PM
No where that strip goes wrong is the assumption that the cracker does not have access to the hashed password: because large data breaches are rare.
(Score: 2) by Nerdfest on Friday May 06 2016, @05:28PM
I agree. The trick is to spell one of the words wrong.
(Score: 3, Funny) by deimtee on Friday May 06 2016, @07:19PM
so, wronghorsebatterystaple then.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Friday May 06 2016, @07:28PM
This is the king of best answers!