A database featuring a whopping 773 million emails has popped up online, and they’re paired with passwords. So, if you weren’t pwned yesterday, there’s a pretty good chance you are today.
News of the breach was broken by security researcher Troy Hunt, who runs the breach-tracking site Have I Been Pwned. According to Hunt, the stolen data appeared about a week ago on the cloud storage service Mega. The data (inside a folder called “Collection 1”) totaled about 87GB across more than 12,000 files. Some of the data was a bit messy, but Hunt managed to process it to get a handle on the scale of the breach.
Well, I’m not pwned. And I only use gmail/google for youtube/chrome bookmark stuff. I use MS for all my heavy lifting. I bet it’s from google doc users.
Yeah, it’s from a whole bunch of spots, but I haven’t seen google listed as one of the sources.
As usual, use different passwords on every site and store them in a password manager like Lastpass and you’ll be fine. If you reuse passwords you’re screwed.
There’s really no way to know unless you find a unique password in it that you can definitely tie to an account you had at a specific site. The collection is basically meant for credential stuffing attacks. Which is depressing. WTF should a stuffing attack ever work in this day and age?
Automated repeated login attempts using a collection of usernames and passwords such as that pastebin. “Stuff in” credentials as fast the system allows and note which succeed. Sane systems defend against it with throttling and other measures.
It might be old, maybe. I don’t know how else to explain how none of my passwords (I just checked all like 80+ documented passwords I have in KeePass that use any email address that had been pwned, which was just my gmail one) and only one password had been pwned (and it was a pretty easy to guess password). All the newer ones I’ve come up with or had Google generate the last few years came up green. So if they got my email (which this site claims) and there are passwords associated with that email (which I assume there are) they are passwords old enough I don’t have them documented (or have since changed them).
I can go through and change all my passwords but then what, 3 months later another breach and another round. This is just… out of control. The password rules guy already apologized. It’s time to try something different, like really penalize these companies where it hurts so they actually do something to protect their data.
Not in the same way or with HIBP integration, but LastPass can run a check and tell you which of your accounts are on sites that have known breaches. I don’t think it’ll tell you if your (alleged) credentials were in a pastebin or the like.
