PSA: 773M credentials circulating from largest aggregated data breach collection

[tack]

This is mainly a Public Service Announcement for everyone to take a moment to see if you're affected and potentially at risk from one of the largest aggregate data dumps from a number of recent data breaches.

Over 2.6B email addresses and passwords have been making the rounds on hacker forums. Troy Hunt, the man who runs haveibeenpwned.com -- a convenient site to check to see if your email address(es) appear in previous known data breaches -- has just submitted a total of 773M new unique credentials to the database, representing the largest collection of breached data ever processed by that site. He's called it Collection #1.

There are more technical details on Troy's blog:

https://www.troyhunt.com/the-773-millio ... ata-reach/

One of my many email addresses was affected from a breach that occurred earlier in 2018. (That breach was responsibly disclosed and I changed my email and password on that site since then so I'm not too worried about it.)

The only safe way to deal with this type of problem is to use a unique and strong password on each and every site you have an account with (and, if you have the technical capability, using a unique email address is also a good practice). This is basically an intractable problem without a password manager such as 1Password or LastPass. 1Password has a particularly nice feature where it can securely cross-reference your passwords with known compromised passwords and provide a report on what urgently needs to be actioned. (That's a pretty cool feature that may finally win me over from LastPass.)

So take a look at haveibeenpwned.com and see if you are at risk. And perhaps as a New Years resolution, consider bolstering your password management strategy if you haven't yet done so.

[Guy Rowland]

Major thanks for highlighting this Jason. It's very boring, but it has to be done. Over 3 billion addresses and passwords...

One gripe I have with 1password particularly relevant right now as I face a tedious weekend - its random password generator is a bit crap. What I could do with is 3 words tops, plus one or two numbers and one additional character. That's something that's copeable with if you need to type it manually and should be pretty secure. There's no way to set this up it seems, so many sites ask for at least a number and you can't stipulate it.

[Guy Rowland]

Excellent news! I've discovered a fantastic online random password generator. Most are very inflexible, generating doubltess very strong passwords but a right PITA if you need to manually copy between devices, family members etc. This here is quite brilliant:

https://xkpasswd.net/s/

It may look like a very clunky interface, but the joy of it is you can set the parameters exactly how you want - how many words, capitalisation, random extra characters and numbers, a pool to choose them from etc. I've got a good balanced result it approves of, that won't be a disaster to copy across if needed.

It's all still a tortuous process, but anything that helps...

EDIT - Wow. Found one large US-based awards program that's mandatory connected with booking their services AFAIK whose "password" is a 4 digit pin. That's it. This is coming up as a compromised password too. The only personal data they have on me is my address at least. Have changed the address to a fake one.

[Tanuj Tiku]

My email is on the list.

What does it mean? My password was pretty strong so I am not sure if this is just related to passwords.

I recently changed my password as well. Again, a decently strong one.

What must one do now? What do hackers do with all of this? Presumably, there is no interest in my email account as far as data is concerned.

[Guy Rowland]

What it means as far as I understand it Tanuj is that one of your logons somewhere on the net - where your email address is used to identify you - has been compromised. So its not the password for your email that you put in, its the one connected with the compromised logon. So - in theory - a hacker with access to that password can only get into that particular website, or might try other websites to see if you use the same password.

I'm using the tool in 1password now that informs me in detail of all my bad habits where there are shared and compromised passwords. I'm changing them all one by one.

[KyleJudkins]

an example would be if for instance, they hacked the soundboard, saw my email address and password used to log in here... it would allow them to log into my soundboard account, and maybe I used the same password for facebook - then it would allow them to hack my facebook, ect.

typically, if it's not really valuable, I use the same set of passwords for things. Valuable is not just "is it valuable to me" but also "is this valuable to someone else"

example1: I don't log onto a small game often - not that many people play it, and no one is likely going to want or do anything with that password.

example2: I don't log onto world of Warcraft anymore. I'm not that attached to my account, but gold sellers can benefit from hacking my account, dumping my gold - and using my characters to farm gold until my account is banned.

example3: It's not likely for anyone to want or need to hack my account on this game, but it would really upset me to lose my account/progress on this game.

in example 1, the accounts not really that important to me, not really useful for anyone to steal either. examples 2 and 3 however, are valuable to me or someone else, so it's worth using a unique and strong password.

Main suggestion(if you don't already do this) Is to use a completely unique password for each of the following:
your email
your online banking
literally anything that allows you to buy things(paypal/amazon)

last thing you want to occur is that you use a "harder password" for the 3 above, they get your email address password, now they can go onto your bank account, amazon, and paypal and cause some real havoc.

[Tanuj Tiku]

What it means as far as I understand it Tanuj is that one of your logons somewhere on the net - where your email address is used to identify you - has been compromised. So its not the password for your email that you put in, its the one connected with the compromised logon. So - in theory - a hacker with access to that password can only get into that particular website, or might try other websites to see if you use the same password.

I'm using the tool in 1password now that informs me in detail of all my bad habits where there are shared and compromised passwords. I'm changing them all one by one.

Thanks Guy, that makes sense.

I have just noticed the past month, Google Chrome now suggests strong passwords automatically. Do you guys think this is a safe feature to use?

Ideally, my passwords for Banking, E-mail and social media are unique. But, there are so many other places to log into. Chrome or Safari will remember most others for me. So, that is OK. But with this new Chrome feature, does it more or less work like 1Password?

[Tobias Escher]

To me the biggest issue with browser-included password managers is that they can not be very secure.
The one on Chrome at least asks you your windows password. But for example at companies, these passwords are often known to other users, so anyone with access to the machine will be able to read the passwords stored in a browser.
A dedicated PW manager (I use Dashlane) has its own password and will also generally use a MUCH more secure encryption.

[Guy Rowland]

That's an alarming thought, Tobias. Are you saying that third parties can access passwords stored in Google Chrome? Or is it more about other people having physical access to your machine?

Another disadvantage of Chrome as a 1password alternative is that its a lot more of a pain to copy those passwords into other apps, browsers etc as required. The knowledge that 1password can now actively scan for anything compromised is a very important new feature too imo.

[Tobias Escher]

Well, it depends
There are two general ways your accounts could be compromised:
1) you reuse login data on multiple sites. This is why the leak mentioned here can be dangerous.
2) someone finds out your login data, either for a single site, or for a site/service/account where all your info is stored. This can be done by multiple ways. True "hacking" is VERY rare and if you use unique passwords per service, there is only one noteworthy threat: Social Engineering:

In general the biggest threat to security still is social engineering.
There's two sides to it, too:
1) easily guessable passwords: If you tend to use easily researchable info for passwords, people can get into almost anything without a leak. I do IT stuff for people, as you know. And you won't believe the passwords they have... people can find that stuff out in seconds.
2) using social engineering to "break into" places where passwords are stored. This is why I do not find browser-included PW managers a good way for security.
The biggest issue is that it can be fairly easy to get access to the physical machine. TONS of people have no system password or a weak one. Even if the PW is not weak, it is known to tons of other people or can be easily guessed. Often they write it on a sticky near the PC...
A weak link are also smartphones. Super easy to guess PIN codes. Unlock patterns that you can easily see looking at trace marks on the screen. Or, again, pass codes that tons of people know.
And these browser-based pw managers often have no added security at all, or only asking the system password like Chrome. If you have that password, you're in.
As you rightly say, these methods require physical access. Sadly, by the sheer number of devices these things are shared on, that is often super easy.

But let's assume you do NOT have physical access. There's still the possibility of gaining access to the account itself.
That's DEAD easy if you are not using two factor authentication. Takes a few minutes at most in almost all cases. We can assume most people use the same email address for almost everything, so we know the login name. For the password, unless you use a super safe password, it might be able to be guessed. Even if you do - forgot password link. That will generally show you some security questions or similar, the answers of which you can get from people's facebook. Or you simply know them because you know the people. Remember - just like with crimes, bad stuff is usually committed by people you know. You answer the questions, set a new PW and you're in.

If you use two factor authentication, that avenue is closed because people will not easily get hold of your phone. BUT: that can be circumvented by calling the email provider, pretending it is the owner of the account and, again, answering the aforementioned security questions correctly.
Alternatively, you can register a "new" device with the old phone number with the provider as an addtional device. I think that's what happened to a very famous YouTuber a while ago.

Basically my main reason for not liking browser-based PW mamagers is that there only has to be ONE weak link and you know EVERYTHING.
That weak link can be everything, from 1234 as you phone passcode, to having TeamViewer with unattended access running as a system service (you can not see this unless you open Task Manager/Activity Monitor). Or just using a system password for security, which there are ways to easily reset. So then your NEW system PW will unlock Chrome's PW manager.

A "true" PW manager like Dashlane or 1Password will generally make sure of the following things:
- one UNIQUE and secure password to access its contents, which is saved NOWHERE. This is why you NEVER should use a PW manager that lets you reset the master PW if you forgot it. That is a GIANT security risk! Remember your Google Account PW is saved with Google, your System PW is saved on your PC and can be easily circumvented. If one is breached, people can get to your files. They can't if the passwords are on a totally different service with a totally different password.
- PWs are encrypted heavily, they are not in all browsers.
- every PW it suggests is unique, so if one service is breached, it does not influence others (that also applies to Chrome - but again, there might be a method to HOW it suggests new passwords and everyone can easily see which browser you are using)
- it is not influenced by security flaws in other software and bad guys can not know in advance which one you are using
- there are no plugins etc that could be used to get data from the browser.

One last general observation: I find that a lot of people pride themselves on having very smart ways of generating passwords and remembering them (like "1st letter of their full name, 2nd letter of the service the PW is used on, their mom's maiden name, their first car's license, 7th letter in the alphabet after the 1st letter of their last name subtracted by the 1st letter of the service the PW is used on"). Sounds smart, but TONS of people do it this way and VERY few services have an effective brute force protection. Also count on at least a few of those passwords to have appeared in leaks and for skilled bad guys it is easy to see the pattern.

All of you - if you get up from your studio desk right now and leave for 2 minutes and I manage to slip in the door and know where I'm looking - what can I find out before you notice?
Can I get in with TeamViewer or Anydesk? Does your Skype automatically accept calls?
Think about it. I did that exercise with a client a while back. He revised his security No breaches since.