Password collection with 773 million online accounts surfaced on the net

A huge collection of access to online services circulates in underground forums. The passwords of millions of users are affected.

Troy Hunt, operator of the password security website Have I Been Pwned (HIBP), has found a huge collection of email addresses and cracked passwords on the net. In total, there are nearly 773 million different e-mail addresses and 21 million different passwords. The collection comprises more than a billion combinations of both. In the underground forum where Hunt discovered it, the record was named "Collection # 1". The data seems to have been collected from a variety of sources and all passwords are in plain text.
Origin of the data
According to Hunt, the providers of the collection have structured the data in such a way that they are especially useful for "Credential Stuffing". In this type of attack on a website, the attacker does not try to crack the password of a single account, but automatically feeds the login mechanism with email and password combinations from a large list. The lists contained in the data leak provide nearly 2.7 billion such combinations. Attackers could use them to take in massive amounts of web services accounts. This often succeeds because many users reuse the same combination of mail addresses and passwords in many services.
Hunt considers it plausible that the seller's information in the underground forum is correct and the data from many different hacks and password leaks from the past has been compiled. From the directory structure of the dataset, conclusions can be drawn about web pages from which the data could originate - looking at all these services to investigate if and when they were hacked, but seems an almost impossible task. Especially because it would depend on the cooperation of each individual service.
Is my password unsafe?
If you want to know if one of your e- mail addresses and associated passwords are included in the data collection, you can use Hunt's HIBP service . The security researcher had spent the past days tinkering with the data. However, a request only tells the user if there is an e-mail address in the leak. Hunt stores for legal and purely logistical reasons, no passwords in his service, but only hashes of mail addresses that have been compromised. However, if the address is in the collection # 1 record, you should probably change the associated password, advises Hunt.
Individual passwords can be checked with the function Pwned Passwords of the page. The website then tells the requester if Hunt has just seen that password in a data leak. Again, Hunt stores only hashes and no passwords in plain text and transmits only parts of the hashes, so that he and a listening attacker can not close the entered password. Nevertheless, you should consider whether you want to enter a password there. Hunt makes every effort to protect the data transmitted to its site according to the current state of the art. Even so, the rule is: Never enter a password anywhere on a web page unless it's the password field of the page to which it belongs.
Permanent protection
Hunt encourages users to use a password manager and to ensure that each webpage has its own password. This should prevent a user from hackers using password lists to crack accounts on other services when the password is leaked. He recommends the password manager 1Password , who has already integrated his service HIBP. Another good alternative is the open source community project KeePass . However, the best defense against falling victim to an account loss as a result of such a data leak is to use many different strong passwords, and a password manager is very helpful.

Post a comment