The 773M Record “Collection #1” Data Breach

shritesh | 325 points

This is frankly terrifying and very ironic.

Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.

And yet they get pwned so easily.

So much effort into violating user privacy, so little effort into enforcing user security.

priansh | 5 years ago

Troy won’t store the passwords associated with the username, which is a choice I can absolutely respect.

But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.

So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.

I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.

I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.

zaroth | 5 years ago

Reading this tweet ( https://twitter.com/troyhunt/status/1085095504197779456 ), I've just donated the price of a coffee to Troy ( https://haveibeenpwned.com/Donate ), and you should too.

HIBP is quickly becoming a critical piece of the Internet security infrastructure, and Troy should be lauded for undertaking it basically by himself.

Darkstryder | 5 years ago

> Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)

I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.

From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.

[1] I lied, i love being that guy.

twic | 5 years ago

I got a notification today that my domain has been included in this collection.

But as far as I can see it is gibberish spam-mails. I see 500+ entries such as:

   fkdsjlfjldsf@example.com
   spamkdsjf31@example.com
   fsdjlfsdjkl@example.com
i.e. None of these emails at my domain are real, nor have they ever been real.

That said if you allow password-based authentication on a server which is shared you might consider using my PAM module:

https://github.com/skx/pam_pwnd

It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.

stevekemp | 5 years ago

Someone from a well-known leak forum is claiming that the "Collection #1" discovered by Troy Hunt is only part #1 of all available collections (there are at least 5, and additional other dumps). He also posted a screenshot of the original sales thread of the owner. The dumps together seem to have a total size of almost 1TB.

Not sure whether it's cool to post any links here.

mxscho | 5 years ago

If you're using keepass, there are some plugins to check against HIBP: https://keepass.info/plugins.html

I'm gonna download the passwords offline and try this plugin: https://github.com/mihaifm/HIBPOfflineCheck

(you can grab the offline passwords from here: https://haveibeenpwned.com/Passwords )

Fudgel | 5 years ago

What's the latest consensus on the best password manager these days. I see he is recommending 1Password, but I recently found Bitwarden which looks quite good.

shmageggy | 5 years ago

There is the rumor that it is called Collection #1 because it was part of a larger dump consisting of Collection #1, Collection #2, etc. There is also the rumor that the whole set was sold for - now hold on tight - the ginormous sum of $45.

weinzierl | 5 years ago

My email/pw is in there but there is easy way to know from which website so I don't know which password I have to change.

All my passwords are randomly generated so they are different for all websites.

randomthought12 | 5 years ago

so strange ...

i’ve checked again if i was pwned and on the top there is a service i’ve never signed up - Apollo, a sales acceleration platform

i’m a simple dev and never subscribed to a sales service ....

csbartus | 5 years ago

Let say my email appeared on Pwned list. And given most ( at least I think most ) people have zillions of web forums, services, sites, services using the email address.

What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.

I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?

Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.

ksec | 5 years ago

Got a few 'hacker' emails on one of my throwaway addresses on this list the last few days. That account was leaked before in another list so this was not worrisome as I get those all the time for this address.

What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?

aequitas | 5 years ago

Anyone got a link to the actual data?

markovbot | 5 years ago

Oh, it must be Tuesday. I've just updated my blog post[0] with some password best practices and it's amazing how little has changed in the last 4 years.

[0] https://darekkay.com/blog/another-password-leak-oh-must-tues...

darekkay | 5 years ago

Funny, I downloaded about 700GB of password dumps last week trying to figure out how someone got one of my passwords (no big deal, they never managed to access anything)

Maybe it was this one.

mpeg | 5 years ago

HIBP doesn't protect the privacy of searched passwords!

Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.

chkas | 5 years ago

Here's one more record to add: my HN password is my username. Feel free to use this account for anonymous well-intentioned posting.

hnuser1234 | 5 years ago