Widespread data breach, change your passwords!

A database featuring a whopping 773 million emails has popped up online, and they’re paired with passwords. So, if you weren’t pwned yesterday, there’s a pretty good chance you are today.

News of the breach was broken by security researcher Troy Hunt, who runs the breach-tracking site Have I Been Pwned. According to Hunt, the stolen data appeared about a week ago on the cloud storage service Mega. The data (inside a folder called “Collection 1”) totaled about 87GB across more than 12,000 files. Some of the data was a bit messy, but Hunt managed to process it to get a handle on the scale of the breach.

Edit: Took Google out of the thread title

It’s not from Google, is it? As far as I know, no one really knows where it originates from, or at least that was the consensus yesterday.

Well, I’m not pwned. And I only use gmail/google for youtube/chrome bookmark stuff. I use MS for all my heavy lifting. I bet it’s from google doc users.

It’s not data from a single data breach. It’s an anthology, I suppose you could say.

(There’s also a link to the above at the end of that Android Police post.)

Yeah, it’s from a whole bunch of spots, but I haven’t seen google listed as one of the sources.

As usual, use different passwords on every site and store them in a password manager like Lastpass and you’ll be fine. If you reuse passwords you’re screwed.

There’s really no way to know unless you find a unique password in it that you can definitely tie to an account you had at a specific site. The collection is basically meant for credential stuffing attacks. Which is depressing. WTF should a stuffing attack ever work in this day and age?

What is a stuffing attack?

Automated repeated login attempts using a collection of usernames and passwords such as that pastebin. “Stuff in” credentials as fast the system allows and note which succeed. Sane systems defend against it with throttling and other measures.

It might be old, maybe. I don’t know how else to explain how none of my passwords (I just checked all like 80+ documented passwords I have in KeePass that use any email address that had been pwned, which was just my gmail one) and only one password had been pwned (and it was a pretty easy to guess password). All the newer ones I’ve come up with or had Google generate the last few years came up green. So if they got my email (which this site claims) and there are passwords associated with that email (which I assume there are) they are passwords old enough I don’t have them documented (or have since changed them).

This breach has nothing to do with Google. Bad headline.

My bad, I was on my phone and walking between meetings when I posted that. Just edited the thread title.

I finally upgraded my 1Passport account (because retyping them all into LastPass just wasn’t going to happen) and it usefully links to Have I Been Pwned and highlights which of my passwords have been compromised and which logins use them. I had two in this thing, both very old ones which I now use as passwords when creating temp accounts at places with no data value… uh, except for GOG. Oops. Ok, I changed that pronto.

Incidentally I also recently received one of those phishing emails along the lines of “here’s your password, pay me monies or I’ll do something bad… uh… I will”, maybe it came from this thing.

Hmm I got a breach in one, but it doesn’t tell me which site. I’m curious hmm.

With LastPass you can automatically change passwords on some sites. Not all or most sites though.

I can go through and change all my passwords but then what, 3 months later another breach and another round. This is just… out of control. The password rules guy already apologized. It’s time to try something different, like really penalize these companies where it hurts so they actually do something to protect their data.

This is very useful. I don’t think LastPass have it, does it?

Not in the same way or with HIBP integration, but LastPass can run a check and tell you which of your accounts are on sites that have known breaches. I don’t think it’ll tell you if your (alleged) credentials were in a pastebin or the like.

I will admit I use one of my emails with super weak passwords for non-sensitive sites. It’s my “junk” email, and it’s been pwned … 9 times?

Joy. These new collections are three times larger than the previous collection, which was the largest leak ever.

Time to update Whatsapp