New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Massive theft of passwords globally, Is it true?
I got this email from GINERNET:
Dear rami adel (online) Unfortunately we are increasingly regularly with news that tell us about massive theft of passwords globally. The latest this week, it is a publication of a 40GB file that includes 1400 million passwords and can be downloaded by any user through the torrent network. You can learn more: https://www.adslzone.net/2017/12/12/1-400-millones-contrasenas-deep-web/ Want to know if your data are public Internet access? You can check it out here: https://haveibeenpwned.com/ Regarding this situation we want to remind you that in GINERNET we offer a system of two-step authentication, so that in order to access your client area necessary that you login with your password and additionally introducing a random code that you receive your mobile. Remember that if an attacker had been done in control of your client area, could steal from contracted services as domains even in the worst case, permanently remove services. We would have to restore a backup to restore you lose service and information from the date of backup when hacking, adding to this issue downtime for the loss of service. Therefore, we recommend that you enable authentication in two steps from this link, it is very simple: https://cli.ginernet.com/clientarea.php?action=security
Is this true?
Comments
Yes, the file has been out for a while but it's just a collection of breaches over the years organised into one file.
Hm, surprised KrebsOnSecurity hasn't mentioned it. I skimmed through December - now on his page and didn't find anything.
None of the 1400 million passwords are new. Someone simply collected old breaches and made the user/pass info easy to search. It was originally posted here on r/pwned (actually links to archive.fo's copy of the page, since reddit has removed the self text of the post).
It happens. Hell, I'm even on there thanks to LinkedIn. I haven't had an active account there for probably about a decade, but my address is forever besmirched.
I just saw big names in the list, that's why I wasn't so sure it is true
https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14
This is also a fantastic example of "don't use the same password for everything on every site or VPS or computer or anything".
I always tell people so but no one Listen
Passwords are horrible, don't rely on passwords for security.
@Rami
Did you hear of masterdeeds...?
OK, Alex.
No
Who's that?
Either Trebeck, or Jones. Take your pick. (2FA4LYF)
oboy....
https://mybroadband.co.za/news/security/233767-check-if-your-details-were-in-massive-south-african-data-leak.html
If you really want to keep up with this stuff: https:// raid forums .com/Forum-Databases (it's worth paying)
I generally have so many of these databases it's rather obscene. I just recently wiped the slate though as I haven't seen any new significant data for a bit, mostly just repackaged combinations of stuff we've been dealing with for over a year.
The reality is this: you were compromised somewhere long ago and with so many other people that your credentials may still have not yet been used. Don't believe for a second that you're safe because a year or more has passed.
That link can help you if you really want to find out what is out there about you. You won't get the level of detail and context from anything but the raw data.
I think i've said it before, it's a great idea to open a site such as HaveIBeenPwned and collect emails from random people. You don't have to have any breach databases, just make a function that on some mails always is going to say pwned. Something like, filter input, all letters to lowercase, letter to number, add all, modus by potato, if greater than number show as pwned, else not.
Then, all of the collected mails are going to be informed about The Truth.
@Jarland, are you a moderator on HF too, btw?
No but I am two members. Keep your enemies closer
Sounds HOT.
Bi-member.
Knowing @jarland's ego, he registered twice just to see GOD beside his name a second time. *
* This is intended to tease Jar-Jar based around all of the LET derails calling him a megalomaniac.
For that, @WSS, your punishment is to get down on the floor and tell me 250 times that everyone loves me.
AGAIN, MASTAH???
What if I just photoshop one Taylor Swift CD to have your name on it, instead?
Deal.
Pretty confident I'm accurate in stating that any competent host or provider has a mole in HF one way or another.
As the Sun Tzu wrote: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
“On a long enough time line, the survival rate for everyone drops to zero.” -- Chuck Palahniuk, Fight Club
Something I've started doing is using email aliases as burner addresses and subaddressing. (Thanks MXRoute!)
A feature where a person could quickly setup a burner alias, and then get notified privately when it shows up on a password list would be interesting. You could put those databases to use.
Theft of passwords is not something generic. Generally, it all depends on whether developers of the software know what they are doing. For example, by not salting your passwords before saving them to database is a common rookie mistake.
Also, 2FA (two factor authentication) technology helps prevent account breaches even if the hacker knows the correct password. This is because you also need a time based token to make a successful login (which is generated by for example Google Authenticator which you install on your smartphone). This means that the hacker will need a physical possession of your smartphone to make any real damage.