Troy Hunt runs the service called Have I been Pwned.
Troy has had this service up for quite a number of years, and we recently posted about its 10th birthday recently.
This set of data includes data from the service which may possibly include registered users, and the amount of data is quite large at 25 million unique usernames and passwords.
Some passwords might have been old data, going all the way back to 2011.
The article is quite extensive, and goes in to detail on the fact that this could be quite unique and worth something to investigate.
Troy Hunt, operator of the Have I Been Pwned? breach notification service, said the massive amount of data was posted to a well-known underground market that brokers sales of compromised credentials. Hunt said he often pays little attention to dumps like these because they simply compile and repackage previously published passwords taken in earlier campaigns.
Apparently not, as this is much bigger.
Some glaring things prevented Hunt from dismissing this one, specifically the contents indicating that nearly 25 million of the credentials had never been leaked before:
- 319 files totaling 104GB
- 70,840,771 unique email addresses
- 427,308 individual HIBP subscribers impacted
- 65.03 percent of addresses already in HIBP (based on a 1,000 random sample set)
The first item is probably nothing to sneeze at. 319 files is not that many files, but the size of the files at 104 GB (gigs) is something that is quite alarming to me. Unless you’re talking about movies mixed in with mp3 files, which are probably not the case here, should raise concerns.
When I read
70,840,771 unique email addresses
I really started to wonder. 70 million unique email addresses? Are there that many email addresses out there? I know OI personally run a few email addresses, at least one on each domain unless its made clear that I don’t have email there, but still. That’s a shit load of email addresses.
Two different items related to HIBP are noted in 3 and 4. First:
427,308 individual HIBP subscribers impacted
and
65.03 percent of addresses already in HIBP (based on a 1,000 random sample set)
That has to raise some eyeballs, or even some earballs if you’re reading this through speech synthesis as a lot of my readers may. But if you’re reading this through braille, maybe it would be fingerball? Ping me and let me know what you think.
Hunt continues in the article.
“That last number was the real kicker,” Hunt wrote. “When a third of the email addresses have never been seen before, that’s statistically significant. This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it’s from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”
If you haven’t been scared enough, as I break apart this article, this paragraph says:
Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.
Troy did contact some of the people who confirmed that the data may have been used at some point, but this is mainly taken by some type of stealer where someone typed in the information in to some page that sent it off somewhere.
Dan talks about a password manager, and they recommend Bit Warden.
There are lots of options out there in regards to password managers, and the JRN does not necessarily want to recommend one over another, as we don’t know what might work for you.
Lastpass works for me, even though they had a bad year. But who has a good year, especially when it comes to security?
Besides keeping passwords as safe as possible, here are recommendations taken from the article.
- Creating a long, randomly generated password or passphrase. These passcodes should be at least 11 characters for passwords and for passphrases at least four words randomly chosen from a dictionary of no fewer than 50,000 entries. Bitwarden, a free, open source password manager, is a good choice and a great way for less experienced people to get started. Once a password is created, it should be stored in the password-manager vault.
- Preventing strong passwords from being compromised. This entails not entering passwords into phishing sites and keeping devices free of malware.
- Use two-factor authentication, preferably with a security key or authenticator app, whenever possible. This doubly applies to protecting the password manager with 2FA.
- Better yet, use passkeys, a new, industry-wide authentication standard that’s immune to theft through stealer apps and credential phishing.
Passphraises are good as you can in fact write them down, and I would even go further and change some things only you know. This way, if the phraise gets out, only you know what exactly it is. Use that with the manager so that you can be as safe as possible.
The Ars Technica article that one of our followers boosted is titled Researcher uncovers one of the biggest password dumps in recent history and this is actually covered in podcasts too.
I think this is going to be huge, and something that will be talked about for a bit as the new year kicks off.
If you have any thoughts, do sound off in the comments. We’d love to hear from you.