Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday January 19 2019, @07:42PM   Printer-friendly
from the there's-lots-more-where-that-came-from dept.

Security maven Brian Krebs, possibly best known for his blog Krebs On Security, recently posted an article that puts a damper on the kerfluffle about a huge e-mail and password breach that has been recently announced: 773M Password 'Megabreach' is Years Old:

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources."

[...] Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — "Sanixer." So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his "freshest" offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which [...] total more than 4 terabytes in size, are less than a year old, Sanixer explained.

tl;dr: What you've seen recently mentioned in the press is old hat, and nothing to be too terribly concerned about. On the other hand, there are other collections -- over 5 times larger -- that are even newer. That is something to be concerned about.

What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by SomeGuy on Saturday January 19 2019, @07:53PM (1 child)

    by SomeGuy (5632) on Saturday January 19 2019, @07:53PM (#788744)

    What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.

    And don't forget to CHANGE your passwords every now and then. Otherwise it doesn't matter how old these password dumps are.

    • (Score: 2) by AthanasiusKircher on Sunday January 20 2019, @02:31AM

      by AthanasiusKircher (5291) on Sunday January 20 2019, @02:31AM (#788868) Journal

      Not saying this is bad advice, but it's overrated compared to everything you quoted. Sites that force password changes every so often usually end up with users just iterating or doing some other stupid thing that a determined hacker could figure out.

      The big problem with password breaches often isn't just the.individual site. It's the fact that when someone has your username and password, and you tend to reuse these -- suddenly someone can get access to lots of your accounts, steal your identity, do all sorts of bad stuff.

      If you never reuse passwords (using a password manager is easy -- and makes it easy to use very long arbitrary passwords everywhere), and if you enable two-factor authentication for any site you really need to be extra secure, the chances that a single breach of an old password will result in significant damage is exceedingly low.

      It's password reuse and lack of two-factor authentication where it matters that mostly makes old passwords dangerous.

      (Again, I'm not saying changing passwords periodically is useless -- it's just something that people tend to worry about more than things that could make a bigger difference with less effort.)

  • (Score: 2) by richtopia on Saturday January 19 2019, @09:08PM (4 children)

    by richtopia (3160) on Saturday January 19 2019, @09:08PM (#788763) Homepage Journal

    I recently switched from Next Cloud's PassMan to Bitwarden. I suspect there is some code sharing between them as they are so similar, but Bitwarden is more fully featured. I also now have the approach of a separate Docker container for each of my password managers. In the past I offered to add a new user to my NextCloud for family members, but now I just configure a new sub-domain pointed to a dedicated Bitwarden instance they can manage themselves.

    This is still not perfect; I am the single point of failure and I still don't fully understand Docker user permissions or chron jobs, so backup is a manual process. However, it helps with my paranoia of trusting a provider with all of my passwords. I'm curious what solution the Soylent News crowd have picked as their favourite.

    • (Score: 0) by Anonymous Coward on Sunday January 20 2019, @01:14AM

      by Anonymous Coward on Sunday January 20 2019, @01:14AM (#788845)

      KeepassX! Cross-platform and you can run it without an installer.

    • (Score: 0) by Anonymous Coward on Sunday January 20 2019, @03:04AM

      by Anonymous Coward on Sunday January 20 2019, @03:04AM (#788879)

      The other option is to use a password hash: https://pwdhash.github.io/website/ [github.io]
      It takes the URL and your password to generate a unique password for each site. Because of bad password policies on a number of sites, the passwords are fairly short, so not the best option for high security options. Mainly it helps for low security options so that when they get cracked, you maintain a level of protection on all your other low security sites. It has the advantage of being accessible from computers that you would not want to keep your keyfile on. There are browser extensions and Android "apps" that are cross compatible and used to be a userjs script for unsupported browsers. Personally I just keep a downloaded copy of the site in my bookmarks.

    • (Score: 1) by DECbot on Sunday January 20 2019, @04:55PM

      by DECbot (832) on Sunday January 20 2019, @04:55PM (#789074) Journal

      I just picked up a Mooltipass [themooltipass.com]. It's a rather interesting hardware password keeper that works on Windows, Mac, Linux, and any phone or tablet that supports OTG USB. It doesn't need internet access and only works on the device you plug it into. Also, it used chip and pin. The pin is to unlock the private certificate that's stored on the removable smart card. The device also supports multiple users via multiple smart cards. There's also a browser plugin to assist with stirring credentials to websites, but there's also an application for manually adding credentials, which is necessary for those accounts not associated with a web browser. In either case, the user name and password appear to the system as keyboard input, so this should work anywhere where a USB keyboard would (that is what I haven't tested yet).
       
      It's interesting enough that I'm thinking of getting a second one for my spouse so she won't reuse passwords and stop writing them in password books. Though I worry that the device is too technical for her to adopt for everyday use.

      --
      cats~$ sudo chown -R us /home/base
    • (Score: 0) by Anonymous Coward on Monday January 21 2019, @06:28AM

      by Anonymous Coward on Monday January 21 2019, @06:28AM (#789426)

      KWallet FTW

  • (Score: 1) by ShadowSystems on Saturday January 19 2019, @09:29PM

    by ShadowSystems (6185) <ShadowSystemsNO@SPAMGmail.com> on Saturday January 19 2019, @09:29PM (#788773)

    I downloaded the plain text file of sites that got hacked. I hoped to go through it, find the site(s) I might have registered an account at, & use that to determine just how worried I should be. If it was some site I hadn't been to in a decade, didn't contain any PII, & didn't offer the hackers anything of value about me, then I could ignore that site as the probable registered-and-immediately-dumped-as-worthless source it most likely had been. Now, if my *bank* were one of the sites then the shit would hit the fan & I'd be running around like a chicken with its head cut off.
    The list was a confusing mess to my screen reader & made my head hurt trying to parse it. A field with a value of "-RXRWRXRW" took a second to figure out it might pertain to a Read, Write, & Execute status, but why a list of sites would need it was beyond me. A seemingly random number was probably the number of accounts the site had given up, but again it wasn't data I cared about; I don't GAF if it splooged 1 account or billions, I just want to know if one of them was *mine*. Then there was a date stamp that was given as "Jan 01 2019" formatting. That sucks from a sorting POV as it puts April before January & kinda screws up the flow. A YYYY-MM-DD format would auto sort itself into chronological order & make things far easier. Then there was the URL (finally!), followed by an entry like "{HASH NOHASH}" & the name of a text file or database (*.SQL) about which I couldn't figure out at first. In the end the only field I cared about was the actual URL so I could try to find a site that sounded even remotely vaguely microscopicly familiar.
    Once I edited the 200+Kb text file down to about 100+KB or so, then I could go through it again to delete all the sites from TLDs I'd never visited, much less made an account at. Czeck? Romania? Russia? Korea? Thailand? Estonia? Spain? I could scrub the list of all of them as inherently unlikely I'd ever visited them *at all*. By the time I'd whittled it down to just domains with TLDs that *might* be possible, the file was down to under 25+Kb. It took my screen reader less than half an hour to read them to me & me to dismiss nearly *all* of them as unlikely. Christian Lesbians For Christ dot com? Ummmm... No. Crickets Singing For World Peace dot co dot UK? Doubt it. Monkey Spankers Anonymous? *Shifty eyed looks left & right* No Comment! *COUGH* Until I'd gone through the whole damned thing & found...
    Nothing. Not one. Nada. Zip. Zilch. Not a single site I recognized, not a single one for whom I had a file for listing my registration details, nobody & nowhere I might have created an account with that promptly got hacked.
    I know my email is out there, I've only had it since the Dawn Of Time & have put it out on the internet to contact me accordingly, but without a specific site to research "What info did I give them?", it amounted to a whole lot of nothing.
    I am *NOT* saying it was worthless, I am *NOT* suggesting to leave your passwords unchanged, I'm only saying that the HIBP emailed letting me know "your email & password got hacked!" couldn't tell me *from where*.
    If you tell me my car tires are making a squeaky noise, I've only got four places to check to find the cause; if you tell me "your car is squeaking" without specifying *where* then there's SFA I can do about it. It's not just a needle in a haystack, it's a non-ferrous needle made of laminated hay & there's a very-near-zero chance of me ever finding it.
    Ditto with this breach. There may have been gazillions of email+passwords out there, but without having a way for us to find out which one(s) our data came from, how are we supposed to know just how much trouble we're in?
    The HIBP site has tools that allow you to search for your email to see if it's among those in the list, but it won't tell you from where. There is a similar tool to check passwords, but you either enter them one at a time & wait or upload them all in a mass dump for HIBP to process & let you know one way or the other. Again, it will tell you if a password is among the ones HIBP knows about, but not nec'ly from where it was acquired. That's fine if you recognize the password & can then link it to a specific account, but if it's just a max length string of alphanumerics & special characters, good luck figuring out the source.
    "Just change all your passwords to be safe!" Ummmm... If I have to log in to the ~100 accounts I've got & change all those passwords, by the time I get done it'll be time to do it again next month. =-\
    *Sighs, shrugs, smiles wearily*
    Screw it. I'll just kill all my accounts except for here, my bank, & TheRegister. Everywhere else can bite my shiny metal butt...

  • (Score: 2) by darkfeline on Sunday January 20 2019, @12:53PM

    by darkfeline (1030) on Sunday January 20 2019, @12:53PM (#789015) Homepage

    You can check all of your passwords through the HIBP API. You are using a password manager, right? Just make a temporary dump and run them through a script.

    Here's such a checker written in Go: https://github.com/darkfeline/pwnck [github.com]

    (You can fetch and build it with "go get go.felesatra.moe/pwnck")

    The API accepts the first 5 characters of your password SHA1 hash, so you don't need to worry about sending your actual passwords to some API. This is bound to be more convenient than downloading a few GBs/TBs of the latest password hash dump every few months.

    --
    Join the SDF Public Access UNIX System today!
(1)