Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security Cloud Databases

Collection 1 Data Breach Exposes More Than 772 Million Email Addresses (zdnet.com) 68

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.
This discussion has been archived. No new comments can be posted.

Collection 1 Data Breach Exposes More Than 772 Million Email Addresses

Comments Filter:
  • by UnknownSoldier ( 67820 ) on Thursday January 17, 2019 @02:07AM (#57975866)

    /sarcasm Like I'm going to fall for "Have I Been Pwned" -- that's just a honeypot ! =P

    • by thermopile ( 571680 ) on Thursday January 17, 2019 @02:54AM (#57975938) Homepage
      Here's Troy's write-up of the incident, which is better than the ZD net account:

      https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ [troyhunt.com]

      • by AmiMoJo ( 196126 )

        I understand why he doesn't offer links, but I'd much prefer to have a local copy of this to work with. Aside from anything else I've got some old archives I can't remember the password for, do a dictionary would be helpful.

        • by Anonymous Coward

          Actually he does have links for downloadable copies of the database. Go to the "Passwords" tab and scroll down to the bottom. But all the data is encoded SHA-1 or NTLM. It's not a clear text database. So I doubt having a local copy would be useful for a dictionary search.

        • by davmoo ( 63521 )

          Crap. Didn't realize I wasn't logged in until I hit 'submit'. So let's try this again so that it might actually show up instead of being a hidden 'anonymous coward'.

          Actually he does have links for downloadable copies of the database. Go to the "Passwords" tab and scroll down to the bottom. But all the data is encoded SHA-1 or NTLM. It's not a clear text database. So I doubt having a local copy would be useful for a dictionary search.

          • by AmiMoJo ( 196126 )

            Interesting that he provides NTLM hashes. Every possible 8 character or less NTLM password can be cracked in under 6 hours, or a few seconds if you have rainbow tables.

            He cites the inclusion of personal info as the reason for not releasing the unhashed list. Shame it can't be cleaned up somehow.

            When you start to look around he amount of PI leakage is incredible. Search torrent sites for *.url or *.lnk or thumbs.db files, for example, and you find thousands. The often contain the user's username, which 9 tim

          • > Go to the "Passwords" tab and scroll down to the bottom.

            Thanks for the info!

            Here is the link in question that has the .torrent / .7z file: https://haveibeenpwned.com/Passwords [haveibeenpwned.com]

      • by Anonymous Coward

        This email was used on only one site, Slashdot.org

        It is pwned.

        Suggestion: Please change the password of the emails you use on /.

    • Exactly my reaction. The "checking" system should NOT ask for your email address. For example, it could ask for substrings, perhaps four letters at a time, and tell you how many possibilities there are. If there are too many to scan to see if you've been included, then you could enter another four characters and refine the search. At no point should you need to give away the email address you're trying to check.

      • by shanen ( 462549 )

        Thought of a second algorithm for a safe search. I think the first algorithm is pretty good and fairly easy to understand, but maybe it has a vulnerability. The new algorithm would require an external resource with high trust. From that resource you would download a secure checksum calculator. Not sure how you could really protect it if your computer has been pwned, but you have more serious problems in that case anyway, but assuming you can run the checksum calculator locally and securely, then you would f

  • everything in the cloud "cloud service MEGA" in this case, that you did not personally securely encrypt before hand. Is just your raw data in someone else's hands. And the security of that information is just based on your trust of them.
    Now if your good with that OK, Great, you are aware of the risks and have made a judgement on them.
    But if not you need to rethink using the cloud for that use in the first place.

    Just my 2 cents ;)
  • by piojo ( 995934 ) on Thursday January 17, 2019 @03:01AM (#57975950)
    I love their API. You can do a search without submitting any sensitive information. Not even a full sha1sum. You send a partial sha1sum, and they send back possible matches. Locally, you see if any are exact matches.

    Here is a bash/zsh function which looks up a password (obviously without printing it to console or sending it anywhere):

    function haveibeenpwned() {
    echo "Enter password to check:"
    stty -echo
    read line
    stty echo
    echo
    local sha1="$(echo -n "$line" | sha1sum - | cut -f1 -d' ')"
    echo sha1 is "$sha1"
    local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
    local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
    echo "Searching for prefix: $prefix and suffix: $suffix"
    echo
    curl "https://api.pwnedpasswords.com/range/$prefix" 2>/dev/null | grep -i "$suffix"
    }
    • by gweihir ( 88907 )

      Nice. Some people still have it and know how to do these things.

    • Using BASH RegEx (Score:5, Informative)

      by DrYak ( 748999 ) on Thursday January 17, 2019 @05:33AM (#57976238) Homepage

      local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
      local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"

      For recent Bash versions that have built-in RegEx :

      [[ "${sha1}" =~ ^(.....)(.*)$ ]]
      local prefix="${BASH_REMATCH[1]}"
      local suffix="${BASH_REMATCH[2]}"

      • Every time I see a string of slashes brackets, dots, and numbers all proceeded with s/ I can't help but think: https://xkcd.com/208/ [xkcd.com]

      • by piojo ( 995934 )

        local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
        local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"

        For recent Bash versions that have built-in RegEx :

        [[ "${sha1}" =~ ^(.....)(.*)$ ]]
        local prefix="${BASH_REMATCH[1]}"
        local suffix="${BASH_REMATCH[2]}"

        Nice! But if you use that, it's actually a bear to keep compatibility with zsh. You need to add this to the beginning of the function:

        [[ ! -z $ZSH_VERSION ]] && setopt local_options ksh_arrays bash_rematch

  • by steveha ( 103154 ) on Thursday January 17, 2019 @03:36AM (#57975992) Homepage

    Starting a couple of months ago, I've received a huge number of extortion emails. At this point it's extortion spam.

    All the emails follow the same pattern, and all including somewhere (usually in the To: line, for some reason) an old "burner" password I used on web sites where I don't care if the password leaks.
      Here's a rough paraphrase:

    Hi, I'm an elite international hacker, and I've hacked your email. You can tell I'm for real because I used your own email account to send this to you.

    Go ahead and change your password, but it's too late to protect you from me. I installed a secret program on your computer and it has been logging everything you do, including collecting images from your computer's webcam. I have collected a list of all the porn sites you visit and made a video showing what you were doing while you visited them. You have interesting tastes in porn, don't you!

    When you opened this email a timer was automatically started, and you have 48 hours to pay me money or else my automatic program will send all the dirt I have on you to all your friends I harvested from your email address book.

    You can use $CRYPTOCURRENCY to send me the money. Send $AMOUNT to $ID_NUMBER. [$AMOUT is usually $700 or $800 or so.] If you don't know how to use cryptocurrency, just Google it, it's easy.

    Be more careful in the future so this doesn't happen again to you.

    I have received dozens of copies of this email, with the text slightly different. Some of them end with "Don't hate me, everyone needs to do their own job." Some of them call the mysterious malware "RAT software". A couple of times the email was translated into Japanese. (I can read just a little bit of Japanese and was able to recognize it, and I showed it to a fluent friend who confirmed that it fit the above pattern.)

    <sarcasm>I must say, my computer is running pretty well considering how many elite international hackers have been messing with it and installing RAT software and such.</sarcasm>

    As it happens, I got one copy of the email at least a week before the deluge started. I realized it would have been very scary for someone who uses the same password everywhere and doesn't know how easy it is to forge the "From:" header. Doubly scary if that person actually visits porn sites.

    • by gweihir ( 88907 )

      Yeah, I got about 20 of these too. The quality kept deteriorating though, the first ones at least had a password that had not been in use for several years. The later ones sometimes came with an empty password I had supposedly been using and "improved" text with more grammar mistakes.

      I think it is time the companies that did not secure this data properly are held to account. Say $500 compensation to each customer affected. And maybe the CEO and CISO behind bars for a year or so in punishment unless they can

    • by tlhIngan ( 30335 )

      Yeah, I got a bunch of these in the span of week. First time I was curious, but I decided to wait. Of course, two days later, I got another one. Two days after that, two more.

      It had a very old password in it, not even sure when I last used it. It was also a really old email address, something I haven't used in nearly two decades now, at least for logins and passwords.

    • by AmiMoJo ( 196126 )

      I've been getting them with a very old password included in the email as "proof" that they got in. For people who re-use passwords a lot it must be quite convincing.

      A friend asked about them, and I pointed out that he didn't have a webcam and that if they had hacked it they would have included an actual photo as proof.

      • by rworne ( 538610 )

        Actually they say they will provide proof by sending "evidence" to a random number of contacts:

        "Should you are looking at going to the cop, okay, this e-mail cannot be traced back to me. I have dealt with my actions. i am also not attempting to charge a fee so much, i would like to be paid for. mail if i don't get the bitcoin, i will send out your video recording to all of your contacts including close relatives, coworkers, and many others. However, if i do get paid, i'll destroy the recording immediately.

    • Yeah well that's because of all the porn you surf. It says so right in the email. :-P

    • For the past couple of months, I also received a lot of these variants.
      All of them have a Bitcoin address that you should pay a ransom to.
      All of them claim that they hacked my "internet" and viewed me on webcams (which I don't use).
      All of them claim that they have compromising videos of me watching porn.
      Most of them have my leaked email address in the From: header.
      Many of them have a password that I used or part of it (and use that as proof they hacked "my account").
      Many of them claim the hack is on my rout

  • The companies not securing this data properly must be held to account, and it _must_ hurt. Something like a general $500 compensation to anybody affected (without the need to prove any damage) would do the trick. Sending those responsible to prison for a year or so would do it as well.

    As it is at the moment, they just continue their shoddy practices,because nothing happens to them and not securing this data properly is far, far cheaper.

    • As it is at the moment, they just continue their shoddy practices

      A website that makes a lot of money distributing porn and copyrighted content does shoddy practices? Say it aint so!

  • When are we going to get criminal liability for these companies that do not secure their data. Every week it's another breach, with another release of incredible numbers of peoples account or personal information. Enough is enough. Any company that does not secure it's user data should be criminally liable for this failure

    That and maybe they shouldn't be keeping nearly as much data. But then they can't data-mine it and sell it.
    • by Tomahawk ( 1343 )

      There's also a lot you can do also. The onus cannot fall only on the companies. They can still have everything done perfectly correctly and have all of the latest patches and have followed all of the security advise they can get their hands on, and still get breached due to some other zero-day that was exploited. There will always be holes, no matter how careful they are.

      So do what you can yourself to ensure that if a company is breached, and try to ensure your data isn't of much use. Some data will be

      • I already do all that. But none of that addresses the issue that most of these breaches are not due to some exotic zero-day exploit but from company after company not bothering to properly secure their data storage against the simplest of hacks and phishing attempts. Phish the right secretary who shouldn't have the access to those accounts and yet somehow she does and we have a breach.

        Yes there will always be some vulnerabilities. But how often do you hear of Banks having their financial systems hacked?
  • So I searched a couple of addresses and they are listed. Or, at least, the site tells me there are listed.
    What would be good, now, is if I could actually view the information about myself. Email it me, maybe? Like, I just gave you my email address...

    Just how old is the password? And for what site(s)? that information doesn't appear to be particularly forthcoming...

    • by shanen ( 462549 )

      Apparently not without giving it away, which is crazy. Per my earlier comment, there is no reason to implement it that way unless the real objective is to get more email addresses. I included an alternative algorithm in that comment.

  • by WolfgangVL ( 3494585 ) on Thursday January 17, 2019 @05:39AM (#57976254)

    Just stop sharing your damn creds. If you can't do that, then stop sharing THE damn creds.

    "Jail the execs!"
    "Hold them accountable!"
    "Fine them!"
    "We need new laws!"

    None of that shit is going to happen. If you keep making accounts for every little thing, pretty soon I'm gonna need to create a throwaway account to pump fkg gas. Just stop.

    Checkout as guest. No thanks. I do NOT agree.

    Do you really NEED an account for everydumbthing.com?

    Creds have value, otherwise, you would not be asked to give them away every other keystroke. Treat them as such.

    Sometimes, the only way to win is not to play.

  • Ya know, Kimmie-boy Schmitz, lardball extraordinaire and mostly beloved for being something the copyright mafia can sink a lot of resources in so they can't prosecute someone innocent at least for the time being?

    Well, he is German originally, and "cloud" is a homophone of the German "klaut", which means "he steals".

    Draw your own conclusions.

    • by fb ( 10330 )

      He was ousted by the company several years ago and has been very critical of them ever since.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...