“When hackers breached companies like Dropbox and LinkedIn in recent years—stealing 71 million and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web,” Andy Greenberg reports for Wired. “Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.”
“Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords,” Greenberg reports. “Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.”
“Most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox,” Greenberg reports. “Hasso Plattner Institute’s researchers found that 750 million of the credentials weren’t previously included in their database of leaked usernames and passwords, Info Leak Checker, and that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 data. Hasso Plattner Institute researcher David Jaeger suggests that some parts of the collection may come from the automated hacking of smaller, obscure websites to steal their password databases, which means that a significant fraction of the passwords are being leaked for the first time.”
Read more in the full article – recommended – here.
MacDailyNews Take: You can check for your own username in the breach using Hasso Plattner Institute’s tool a t here.
If you find a breach, make sure you’ve changed that password.
As always, do not reuse passwords.
Keychain Access is Apple’s password management system in macOS. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of Mac OS, including Mac OS X, OS X, and macOS. A macOS Keychain can contain various types of data: Passwords (for Websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.
Your Mac’s Keychain Access application also has a built-in Password Assistant that can help you create good, strong passwords. To get to it, just launch KeyChain Access (found in Applications/Utilities), choose File>New Password Item and use the “Password” input box to design your passwords. To gain access to more options, you can click the button with the black key icon located next to the “Password” input box which will bring up the Password Assistant which can make passwords for you (“memorable, “letters and numbers,” etc.). Both options provide a colorful bar that goes from dark red (weak) to dark green (excellent) to indicate the Password Strength.
Make ’em strong and unique and manage/store them with Keychain Access which works across your Macs, iPads, iPhones, etc.
SEE ALSO:
Hackers expose 773 million email addresses and 21 million passwords, check yours here – January 17, 2019
Which begs the question: why go to the length of creating a password no human could remember when ultimately it will only matter that whatever password you used, impenetrable or just strong, was exposed regardless via a data breach? Definitely change one that’s been compromised, and don’t use easy to guess weak ones, but do I really need a password that only my computer can remember?
I don’t think the idea is to create a password that no human can remember. The strategy is to choose a password that no computer is able to guess through brute force.
The value of a password to hackers is minimal if it’s hard to guess and you only use it on one site. In the past, the value was primarily in discovering passwords that was used on multiple sites. Thus, a password on LinkedIn might also allow a hacker to get into your facebook account and scrape your contacts for data or get into your bank account. More recently, hackers have used stolen passwords to extort money by makingyou think they have access to your computer. And sometimes it works.
https://www.schneier.com/blog/archives/2018/07/reasonably_clev.html
anyone know…?
does the german site Hasso Plattner Institute (https://sec.hpi.de/ilc/search) Identity Leak Checker check for site IDs (user/password) only or also eMails associated with them?
that is, does it mean if abc@gmail.com is affected for xyz.com site login, is the abc@gmail.com mail also affected, or just the site login?
thanks
They have two of my email names, but according to the HPI tool, the passwords are from 2014 or older. Already been replaced ages ago.
I wish Apple would just buy 1Password (but continue to support it across all platforms). 1Password integration with apps and the OS has gotten better recently, but there are still seams. The functionality would really enhance Keychain. Another welcome feature would be Secure Enclave generation and availability of PKI certs.
My iCloud e-mail and Google (minimally used because of my disrespect of google generally) are good.
The only problem is with 3 iterations of my school system e-mail going back to 2014 (a state e-mail system which is require) are all shown on the list. Not surprised there. The governmental bodies automatically assume that they are the highpoint of technology without ever checking to see if it’s actually true, and they almost never are. In actual fact almost always at the back of the pack.
am I the only one who thinks adding my email to a website, outside the U.S. is safe?