Collection 1 Data Breach Exposes More Than 772 Million Email Addresses (zdnet.com) 68
A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote.
The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.
/Oblg. Honey pot (Score:5, Funny)
/sarcasm Like I'm going to fall for "Have I Been Pwned" -- that's just a honeypot ! =P
Re:/Oblg. Honey pot (Score:5, Informative)
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ [troyhunt.com]
Re: (Score:2)
I understand why he doesn't offer links, but I'd much prefer to have a local copy of this to work with. Aside from anything else I've got some old archives I can't remember the password for, do a dictionary would be helpful.
Re: (Score:1)
Actually he does have links for downloadable copies of the database. Go to the "Passwords" tab and scroll down to the bottom. But all the data is encoded SHA-1 or NTLM. It's not a clear text database. So I doubt having a local copy would be useful for a dictionary search.
Re: (Score:3)
Crap. Didn't realize I wasn't logged in until I hit 'submit'. So let's try this again so that it might actually show up instead of being a hidden 'anonymous coward'.
Actually he does have links for downloadable copies of the database. Go to the "Passwords" tab and scroll down to the bottom. But all the data is encoded SHA-1 or NTLM. It's not a clear text database. So I doubt having a local copy would be useful for a dictionary search.
Re: (Score:2)
Interesting that he provides NTLM hashes. Every possible 8 character or less NTLM password can be cracked in under 6 hours, or a few seconds if you have rainbow tables.
He cites the inclusion of personal info as the reason for not releasing the unhashed list. Shame it can't be cleaned up somehow.
When you start to look around he amount of PI leakage is incredible. Search torrent sites for *.url or *.lnk or thumbs.db files, for example, and you find thousands. The often contain the user's username, which 9 tim
Re: (Score:2)
> Go to the "Passwords" tab and scroll down to the bottom.
Thanks for the info!
Here is the link in question that has the .torrent / .7z file: https://haveibeenpwned.com/Passwords [haveibeenpwned.com]
My special email only used on /. pwned (Score:1)
This email was used on only one site, Slashdot.org
It is pwned.
Suggestion: Please change the password of the emails you use on /.
How to make the search safe (Score:3)
Exactly my reaction. The "checking" system should NOT ask for your email address. For example, it could ask for substrings, perhaps four letters at a time, and tell you how many possibilities there are. If there are too many to scan to see if you've been included, then you could enter another four characters and refine the search. At no point should you need to give away the email address you're trying to check.
Re: (Score:2)
Thought of a second algorithm for a safe search. I think the first algorithm is pretty good and fairly easy to understand, but maybe it has a vulnerability. The new algorithm would require an external resource with high trust. From that resource you would download a secure checksum calculator. Not sure how you could really protect it if your computer has been pwned, but you have more serious problems in that case anyway, but assuming you can run the checksum calculator locally and securely, then you would f
Re: (Score:2)
https://pastebin.com/UsxU4gXA [pastebin.com]
was a link I took from an article linked to below.
Mostly mom'n'pop shops and random Korean/Russian websites.
I always mention to people that (Score:2)
Now if your good with that OK, Great, you are aware of the risks and have made a judgement on them.
But if not you need to rethink using the cloud for that use in the first place.
Just my 2 cents
Re: I always mention to people that (Score:2)
Re: (Score:1)
We still check in from time to time, though.
They have a great API (Score:5, Informative)
Here is a bash/zsh function which looks up a password (obviously without printing it to console or sending it anywhere):
function haveibeenpwned() {
echo "Enter password to check:"
stty -echo
read line
stty echo
echo
local sha1="$(echo -n "$line" | sha1sum - | cut -f1 -d' ')"
echo sha1 is "$sha1"
local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
echo "Searching for prefix: $prefix and suffix: $suffix"
echo
curl "https://api.pwnedpasswords.com/range/$prefix" 2>/dev/null | grep -i "$suffix"
}
Re: (Score:2)
Nice. Some people still have it and know how to do these things.
Using BASH RegEx (Score:5, Informative)
local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
For recent Bash versions that have built-in RegEx :
[[ "${sha1}" =~ ^(.....)(.*)$ ]]
local prefix="${BASH_REMATCH[1]}"
local suffix="${BASH_REMATCH[2]}"
Re: (Score:2)
Every time I see a string of slashes brackets, dots, and numbers all proceeded with s/ I can't help but think: https://xkcd.com/208/ [xkcd.com]
Re: (Score:2)
local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
For recent Bash versions that have built-in RegEx :
[[ "${sha1}" =~ ^(.....)(.*)$ ]]
local prefix="${BASH_REMATCH[1]}"
local suffix="${BASH_REMATCH[2]}"
Nice! But if you use that, it's actually a bear to keep compatibility with zsh. You need to add this to the beginning of the function:
[[ ! -z $ZSH_VERSION ]] && setopt local_options ksh_arrays bash_rematch
I'm probably in there (Score:5, Interesting)
Starting a couple of months ago, I've received a huge number of extortion emails. At this point it's extortion spam.
All the emails follow the same pattern, and all including somewhere (usually in the To: line, for some reason) an old "burner" password I used on web sites where I don't care if the password leaks.
Here's a rough paraphrase:
I have received dozens of copies of this email, with the text slightly different. Some of them end with "Don't hate me, everyone needs to do their own job." Some of them call the mysterious malware "RAT software". A couple of times the email was translated into Japanese. (I can read just a little bit of Japanese and was able to recognize it, and I showed it to a fluent friend who confirmed that it fit the above pattern.)
<sarcasm>I must say, my computer is running pretty well considering how many elite international hackers have been messing with it and installing RAT software and such.</sarcasm>
As it happens, I got one copy of the email at least a week before the deluge started. I realized it would have been very scary for someone who uses the same password everywhere and doesn't know how easy it is to forge the "From:" header. Doubly scary if that person actually visits porn sites.
Re: (Score:2)
Yeah, I got about 20 of these too. The quality kept deteriorating though, the first ones at least had a password that had not been in use for several years. The later ones sometimes came with an empty password I had supposedly been using and "improved" text with more grammar mistakes.
I think it is time the companies that did not secure this data properly are held to account. Say $500 compensation to each customer affected. And maybe the CEO and CISO behind bars for a year or so in punishment unless they can
Re: (Score:2)
Ah, yes. I am a "troglogyte" with my own PostFix installation, custom Spamassasin configuration and RBL. And I prefer to see some stuff and will not add a custom rule for it.
You are a fucking idiot.
Re: (Score:2)
Yeah, I got a bunch of these in the span of week. First time I was curious, but I decided to wait. Of course, two days later, I got another one. Two days after that, two more.
It had a very old password in it, not even sure when I last used it. It was also a really old email address, something I haven't used in nearly two decades now, at least for logins and passwords.
Re: (Score:2)
I've been getting them with a very old password included in the email as "proof" that they got in. For people who re-use passwords a lot it must be quite convincing.
A friend asked about them, and I pointed out that he didn't have a webcam and that if they had hacked it they would have included an actual photo as proof.
Re: (Score:2)
Actually they say they will provide proof by sending "evidence" to a random number of contacts:
"Should you are looking at going to the cop, okay, this e-mail cannot be traced back to me. I have dealt with my actions. i am also not attempting to charge a fee so much, i would like to be paid for. mail if i don't get the bitcoin, i will send out your video recording to all of your contacts including close relatives, coworkers, and many others. However, if i do get paid, i'll destroy the recording immediately.
Re:I'm probably in there (Score:5, Funny)
I'm tempted to email one back asking them to send the videos out, because I saw this great porn video but can't find it now and maybe they captured it. Plus I want to change my avatar to my orgasm face but am having trouble triggering my camera at the right moment, and my mum won't help.
Re: (Score:3)
Yeah well that's because of all the porn you surf. It says so right in the email. :-P
Ransom spam/scam using leaked credentials (Score:2)
For the past couple of months, I also received a lot of these variants.
All of them have a Bitcoin address that you should pay a ransom to.
All of them claim that they hacked my "internet" and viewed me on webcams (which I don't use).
All of them claim that they have compromising videos of me watching porn.
Most of them have my leaked email address in the From: header.
Many of them have a password that I used or part of it (and use that as proof they hacked "my account").
Many of them claim the hack is on my rout
This cannot go on (Score:2)
The companies not securing this data properly must be held to account, and it _must_ hurt. Something like a general $500 compensation to anybody affected (without the need to prove any damage) would do the trick. Sending those responsible to prison for a year or so would do it as well.
As it is at the moment, they just continue their shoddy practices,because nothing happens to them and not securing this data properly is far, far cheaper.
Re: (Score:2)
As it is at the moment, they just continue their shoddy practices
A website that makes a lot of money distributing porn and copyrighted content does shoddy practices? Say it aint so!
Criminal Liability? (Score:2)
That and maybe they shouldn't be keeping nearly as much data. But then they can't data-mine it and sell it.
Re: (Score:2)
There's also a lot you can do also. The onus cannot fall only on the companies. They can still have everything done perfectly correctly and have all of the latest patches and have followed all of the security advise they can get their hands on, and still get breached due to some other zero-day that was exploited. There will always be holes, no matter how careful they are.
So do what you can yourself to ensure that if a company is breached, and try to ensure your data isn't of much use. Some data will be
Re: (Score:3)
Yes there will always be some vulnerabilities. But how often do you hear of Banks having their financial systems hacked?
Can I see my data? (Score:2)
So I searched a couple of addresses and they are listed. Or, at least, the site tells me there are listed.
What would be good, now, is if I could actually view the information about myself. Email it me, maybe? Like, I just gave you my email address...
Just how old is the password? And for what site(s)? that information doesn't appear to be particularly forthcoming...
Re: (Score:2)
Apparently not without giving it away, which is crazy. Per my earlier comment, there is no reason to implement it that way unless the real objective is to get more email addresses. I included an alternative algorithm in that comment.
everybody is acting all surprised.... (Score:5, Interesting)
Just stop sharing your damn creds. If you can't do that, then stop sharing THE damn creds.
"Jail the execs!"
"Hold them accountable!"
"Fine them!"
"We need new laws!"
None of that shit is going to happen. If you keep making accounts for every little thing, pretty soon I'm gonna need to create a throwaway account to pump fkg gas. Just stop.
Checkout as guest. No thanks. I do NOT agree.
Do you really NEED an account for everydumbthing.com?
Creds have value, otherwise, you would not be asked to give them away every other keystroke. Treat them as such.
Sometimes, the only way to win is not to play.
Re: (Score:1)
Wasn't Mega Kimmie's baby? (Score:2)
Ya know, Kimmie-boy Schmitz, lardball extraordinaire and mostly beloved for being something the copyright mafia can sink a lot of resources in so they can't prosecute someone innocent at least for the time being?
Well, he is German originally, and "cloud" is a homophone of the German "klaut", which means "he steals".
Draw your own conclusions.
Re: (Score:1)
He was ousted by the company several years ago and has been very critical of them ever since.
Re: (Score:2)
This pigfucker is charging for the database. Fuck him sideways with a rusty spork.