“There are breaches, and there are megabreaches, and there’s Equifax,” Brian Barrett reports for Wired. “But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.”
“The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point,” Barrett reports. “The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.”
“If anything, the above numbers belie the real volume of the breach, as they reflect Hunt’s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords,” Barrett reports. “Not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents — which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.”
Read more in the full article here.
MacDailyNews Note: Check if you have an account that has been compromised in a data breach via Have I Been Pwned: https://haveibeenpwned.com
So, you do all the right stuff, use a program to make a password even you can’t remember, etc, but then someone hacks into Target, your bank, your credit agency and still gets all your info. And, of course, you the end user still get blamed for not taking enough steps.
I don’t beleive the end user is the problem anymore. Sure, take prudent steps to protect yourself. But, when somebody hacks into a company and gets millions of accounts, I would submit the problem lies with the company, and not the end user. So basically having that password that “takes 2 billion years to crack” doesn’t matter as much as the security of those you do transactions with.
Companies such as Target and Citi Bank that have allowed several data breeches should be fined into bankruptcy and the senior executives be found personally criminally libel (loose their homes, all financial assets, etc). Then things will change very fast.
Any advice as to what we should do? If we change our passwords now will it be effective? Should we just change out email passwords? Where is my data going? Who is collections my data? Was I part of the equifax breach? Was I a part of the yahoo breach?
Larger context issue:
If you go to the site and enter YOUR email to the haveibeenpwned site, you have just given another unknown site (that might be hacked in the future) your email address!
Just think what the spam scammers can do with 700 million email addresses!
that is… not how that works…
No the site is dedicated to NOT doing that. It will only store an email address if you subscribe, because (d’uh) it can’t email you to inform you if it doesn’t know your email address.
How do I know this ? Because 1) the site is partnered with 1Password and therefore has credibility and 2) if you knew the facts you would know the the guy’s mission is to help people who’ve had their email/pwd breached.
1) go to haveibeenpwned.com to search for your email address and see if you’re affected
2) sign up for 1Password or some free password manager, and create individual logins for every service you use. it’s a huge hassle, but its really the only way to limit the impact of these kind of breaches. it’s worth it. do it.
Or, be old-school like the site recommends if you really don’t want to use a digital manager, use a pen and paper to keep track of them and keep it safely secured.
Go to the website and check your email passwords to see which ones are pwned. I checked, and the passwords pwned were old ones, not current. And, don’t use those pwned email passwords for any other website logins.
Its not necessarily your email’s password that has be breached. It may be an account on a site (eBay just for example) where you have used your email address as the user ID. The password associated to your user ID for that site may be the one that was breached.
Unfortunately I don’t think there is a way to know what site was breached and your email was compromised.
There is a separate site to check if any passwords you use or have used have been “breached”. You just enter the password, not the associated email.
Freeze credit (better than locking). Check social security periodically to see it someone is using your # to earn income. Opt out of most if not all marketing. Avoid google anything. Don’t use cellphone apps for financial stuff. Tell phone carriers to opt out of data location.
As much as Cook drones on about Apple making the world better, he is not taking a leadership role in making a more private secure internet. Apple doesn’t have any obvious contribution to wifi or wireless improvements. Is there some reason that a company with Apple’s resources hasn’t come up with a superior standard that can keep all your accounts monitored and managed efficiently??? People have been using touchid for years, why can’t Apple outperform 1Password and offer the user a No Password solution??? It is pathetic that in this day the safest thing a person can do is change his passwords manually as often as possible, and keep all those passwords memorized or secured offline. Apple’s pathetic Keychain is the best Timbo can do.
Apple does, on the other hand, does sit by and watch scammers like google, facebook, and worse steal your data. Cook isn’t interested in serving the user a superior technology, he’s just after your cash. It shows in everything Apple does.
Pathetic, Steve, that your contribution is to complain about the company that is miles ahead of others — any Windows or Android company for sure.
Apple can’t do anything about data you might choose to put into Facebook, or any number of other services.
And it should be very, very obvious to anyone that Apple can do nothing about what you enter into Equifax or anywhere else. How sensitive information is managed or your Mac or iPhone doesn’t affect what you give some other company which is then stored on their computers.
When all the yapping began about the cloud I raised security concerns and they are still there. When the trend of free services came about we were reminded that if you were not paying for it you are the product and they are still there.
In 2019 it is legal for a company you have no relationship with to stalk you online for profit. It is legal for them to sell this information attributed to you without your knowledge or consent. One of the best customers of such data are governments from local to national law enforcement and intelligence.
Do you really think a secure password is anything but a unicorn?
doesn’t the idea that ‘big business’ sells this information to the government (which itself sounds ridiculous) make ‘big business’ the main ‘enemy’, much more so than our government?
It figures. All my gmail accounts were compromised despite the fact that I’ve used an alpha-numeric password with special characters at a minimum of 15 character lengths.
I think that is best to avoid any unknown website that asks for personal data, even the sites protected by the https prefix.
Agreed with Crish and George. At first we need to avoid harmful websites and need to secure ourselves.
We can use password manager.
And, two factor authentication is another smart way to handle this kind of hacking.
Stay Safe