New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
16 Billion Apple, Facebook,Google and Other passwords leaked - Act now
rustelekom
Member, Patron Provider
in News
Comments
end is nigh
Stealer logs. Lol.
Ignoring that neither reddit nor forbes ( to which reddit is linked) are sources of high reputation in cybersec ...
Ooopsie - but: anyone really surprised?
Are we sure this is accurate and not just minimum wage journos sensationalizing the facts to get more clicks? Most big [tech] corps properly hash user passwords, so it is not possible to "leak" a password, just their hashes.
thats why you have 2fa enabled for everything you can
Who knows. But using two-factor authentication is always better than not using it.
Pretty sure it's just a result of passwords from previous breaches being tested on other services. I imagine they might've tested each credential pair on various services to see if they actually function there and if so, add them to this giant list (I don't think each of those services have actually been breached directly).
Bad for those that re-use passwords (or maybe even use password patterns), but ultimately doesn't affect those that use randomly generated passwords for each account they have.
Bit more info here
https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
Do you expect me to read?
I thought the maid could read it to you as a bedtime story tonight
infostealers such a good name though
should i start a summerhost called cpustealers? sounds better than cumhost...
I vote for BandwidthBurglar, direct competitor of SurferCloud
"Deciphering an 8-character password hash (for example) is essentially reversing the encrypted value back to its original form. If the password length is only eight characters long, the chances of successful recovery are significantly higher, especially if common encryption methods like MD5 or SHA-1 were used.
▌ What will be required?
To successfully decipher a password hash, you need several resources:
▌ 1. Encryption Algorithm Identification
Firstly, it's essential to determine which algorithm was used for hashing. Common algorithms include:
▌ 2. Attack Methodology
There are two primary approaches to cracking hashes:
▌ a) Brute Force Attack
This involves trying all possible combinations of alphanumeric values. For example, with an alphabet size of 62 symbols (a-z, A-Z, 0-9), there would be approximately 62⁸ ≈ 2⁴⁷ possibilities, making this attack feasible though computationally intensive. This approach works best on short and simple passwords.
▌ b) Using Rainbow Tables
A rainbow table is a precomputed database that maps known passwords to their corresponding hash values. Such tables exist for 8-character passwords and allow quick lookups between a given hash and potential plaintext passwords.
▌ 3. Computing Power
The speed of your attack depends heavily on computational power:
▌ Realistic Expectations
An 8-character hash is relatively weak, particularly when using basic algorithms (like MD5). Even with moderately secure algorithms like bcrypt set at low iteration counts, it may still lead to successful password recovery within reasonable time frames provided sufficient computing resources.
In conclusion, recovering an 8-character password is quite realistic if you have access to powerful hardware (such as GPUs or cloud services). However, keep in mind that unauthorized attempts could violate legal regulations unless explicit consent from data owners has been obtained."
Of course, if you use a password of more than 16 characters, the probability of such an attack is reduced.
infostealers such a good name though
should i start a summerhost called cpustealers? sounds better than cumhost...> @nvme said:
1mbps.cloud
BandwidthHeist.io
ma****groupchatmadeletdeadpool.host would be the end of all summer hosts
Thank you for that somewhat old-ish "schoolbook" explanation.
But it's not as simple as that. Just one example: salted hashes; depending on salt size and domain this can thwart most common attacks for all not very major (read state or large and/or very well funded organisation) attackers.
At the same time though 2FA often is misunderstood. It depends very strongly on 2 factors (pun not intended), namely the medium and the quality of the second factor. One somwhat ugly example is 4 to 6 digits (i.e. a very small domain) via SMS (i.e. a communication medium/channel that no professional would consider to be safe. That is, 2F auth. quite often is little more than sakkurity theater/marketing BS.
And btw, it's very rarely (outside universities, etc) the algorithm that's attacked (and well attackable) but the implementation.
All in all I'd be quite surprised if only about 2 accounts of every living person (on average) would have been hacked/pawned...
Still quite vague about what exactly and how much is leaked:
Collecting the info from hacked devices is certainly more plausible than acquiring database dumps of encrypted passwords and try to unhash them. But this way you won't get billion new logins. And with such large datasets (if they are real at all) it becomes harder and harder to verify their authenticity. So I for one will remain calm.
If any siginificant leak happens there will be news full of it and most importantly people will notice being exploited rather than finding somewhere some mysterious TB worth of some random database dump.
Ding ding ding ding.
"Minimum wage journos" :D
That was my takeaway anyway
Journalists may be stupid, but the fact remains that databases are now open to everyone. The number of leaked data is too high to just ignore it.
Shit, did anyone get some ****hub accounts???
On a serious note, 16 BILLION, hmm, nice.
True.
2fa is annoying much!
https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/
I keep an obsolete smartphone or (better) an iPad next to my PC for quick 2FA access. That way if god forbid I lose my actual mobile phone I don’t lose all my 2FA access with it (yes I do keep backup codes but still easier to delegate an obsolete device or tablet that always stay home for 2FA).
So were passwords when I first encountered them. The systems I first played with back as a kid waaaaaaay back in the 70s didn't use them. First time I had to remember a password was like "oh man, what a pain..."
Why am I not doing this? I'm drowning in old phones.
much surprise 😉
old phones are so nice
Yes, add another old junk with no software and firmware security updates to expose your ass even more.
So best is to not keep anything you wouldnt want others to see.
Developers needs to be jailed for writing insecure software, and then maybe we will have less breaches/hacks.
This crap has gone for too long unregulated and with no accountability for both companies and code writers.
That old phone could be completely disconnected from the network (airplane mode) and still work as a 2FA authenticator. In fact I think you could permanently leave it in airplane mode and still setup 2FA accounts, etc.