# 773 Million Credentials Leaked



## Regeneration (Jan 18, 2019)

A huge database of logins/passwords was leaked to MEGA a few days ago. Stolen from multiple hacked sources.

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources.

Source

How to check if yours is among them: https://haveibeenpwned.com


----------



## EarthDog (Jan 18, 2019)

Wth is this? 

The fornite thing? 

That link does nothing...lol


----------



## biffzinker (Jan 18, 2019)

EarthDog said:


> Wth is this?
> 
> The fornite thing?




"Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources."
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/


----------



## IceScreamer (Jan 18, 2019)

My mail is on the list, but my password isn't, so that's at least something.


----------



## biffzinker (Jan 18, 2019)

IceScreamer said:


> but my password isn't





> *NIST's guidance: check passwords against those obtained from previous data breaches*
> 
> The Pwned Passwords service was created in August 2017 after  NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords and version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M.


https://haveibeenpwned.com/Passwords


----------



## Vya Domus (Jan 18, 2019)

Pretty sure that site is bollocks. No matter what random string you write, it will either say its safe or not, but never that it doesn't exist.


----------



## moproblems99 (Jan 18, 2019)

Could it be that safe means it isn't in there?


----------



## Vya Domus (Jan 18, 2019)

Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.


----------



## biffzinker (Jan 18, 2019)

Vya Domus said:


> Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.


An explanation of how it works is available. 

Cloudflare, Privacy and k-Anonymity - https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity


----------



## IceScreamer (Jan 18, 2019)

biffzinker said:


> https://haveibeenpwned.com/Passwords


It has been changed last month.


----------



## eidairaman1 (Jan 18, 2019)

Vya Domus said:


> Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.



I wonder if OPs TPU account has been Pawned.

Looks like a Phishy in a Pharm


----------



## Bones (Jan 19, 2019)

Agreed - Don't think hackers haven't noticed and neglected to "Get busy" with it. 
Could be this is something setup to farm addys and passwords YOU give, making it easy for them to get.

I don't like the looks of it myself.


----------



## hat (Jan 19, 2019)

I concur. It hardly seems professional. 

However, it's worth mentioning that evidently the password "jibbajabbajoo" is safe! Let's all use it.


----------



## eidairaman1 (Jan 19, 2019)

hat said:


> I concur. It hardly seems professional.
> 
> However, it's worth mentioning that evidently the password "jibbajabbajoo" is safe! Let's all use it.



Or shaqfuisgreat


----------



## Regeneration (Jan 19, 2019)

The website is legit. It checks if your email address exists on the latest database and previous breaches.


----------



## rtwjunkie (Jan 19, 2019)

Bones said:


> Agreed - Don't think hackers haven't noticed and neglected to "Get busy" with it.
> Could be this is something setup to farm addys and passwords YOU give, making it easy for them to get.
> 
> I don't like the looks of it myself.


No. What the site does is list websites you are or have been a member of who had data breaches.  That’s the thing, it’s old and new. Some people will only have former breaches.

For instance, I was on half a dozen sites that were data breaches at one time.  For example, NexusMods.  That was about 4 years ago, and everyone that paid attention to their notifications changed their login info and passwords.  The site is thus one of mine listed because it is associated with the email addy I input.  It doesn’t mean people are currently breached.

People that pay attention and correct these things as websites warn them can input the email you use for sign ins and see that the only things listed are issues that have since been corrected. 

Those that it shows a current problem, well then you might be asking why that associated website hasn’t warned you yet.


----------



## Vayra86 (Jan 19, 2019)

Regeneration said:


> How to check if yours is among them: https://haveibeenpwned.com



Are people here seriously questioning the legitimacy of haveibeenpwned.com? Wow... The site has only been around for over a decade doing the exact same thing. Good morning!

Same here wrt NexusMods, and my data was also leaked through Dungeons & Dragons Online. And yes, since those leaks, I get the occasional login on random accounts elsewhere for which I haven't bothered to change passwords. 2FA is my savior


----------



## 95Viper (Jan 19, 2019)

Vayra86 said:


> Are people here seriously questioning the legitimacy of haveibeenpwned.com? Wow... The site has only been around for over a decade doing the exact same thing. Good morning!



Yep, I question anything to do with someone wanting to collect data like this,
You go to that site... he logs your IP, you input your e-mail address.  Now, you input your password to check it... and, remember, still got your IP.
They now have two lists.  An e-mail one with IPs and a password list with IPs.
Compare the data;  and, just match date, time, email addresses (& IPs), with Password (& IPs).
Just compiled me a nice list of possibilities.

Just my opinion.

Also,  I am skeptical, too... looks like a scare tactic to get subscribers for his password manager.


----------



## R0H1T (Jan 19, 2019)

Well there's always vpn, proxy, TOR & other alternatives if you don't want to be tracked/traced personally.


----------



## rtwjunkie (Jan 19, 2019)

95Viper said:


> Yep, I question anything to do with someone wanting to collect data like this,
> You go to that site... he logs your IP, you input your e-mail address.  Now, you input your password to check it... and, remember, still got your IP.
> They now have two lists.  An e-mail one with IPs and a password list with IPs.
> Compare the data;  and, just match date, time, email addresses (& IPs), with Password (& IPs).
> ...


You are spreading FUD, which as a moderator you definitely should know not to do.

Simple answer is don’t check any passwords with the site.  You should be changing all your passwords regularly anyway.  It’s just an informational tool that confirms sites you’ve been on that were breached at one time (and hopefully you fixed those logins back then) and (hopefully not) any currently breached sites you belong to.  It does this with the email addy that you use for site registrations (hopefully you use an unimportant one).

The site is just informational, and as @Vayra86 said has been providing this service for many years.


----------



## 95Viper (Jan 19, 2019)

R0H1T said:


> Well there's always vpn, proxy, TOR & other alternatives if you don't want to be tracked/traced personally.



True.
However, how many everyday users really use such.  A lot, probably, have not heard of, or do not understand such.



rtwjunkie said:


> You are spreading FUD, which as a moderator you definitely should know not to do.
> 
> Simple answer is don’t check any passwords with the site.  You should be changing all your passwords regularly anyway.  It’s just an informational tool that confirms sites you’ve been on that were breached at one time (and hopefully you fixed those logins back then) and (hopefully not) any currently breached sites you belong to.  It does this with the email addy that you use for site registrations.
> 
> The site is just informational, and as @Vayra86 said has been providing this service for many years.



No FUD,  just my opinion of a possiblility.  
Vayra86 brought up the question; so yes, I answered Vayra86 and I am seriously questioning it.

Simple answer... I did not and have not used the site! 
And, I agree, that a password should be change regularly, or, when you have doubt/suspicion.

And, personally, I do not care if the site has been there since day one.


----------



## Vya Domus (Jan 19, 2019)

That's not FUD, it's the least bit of common sense you can apply to these things. Online security in general is in a horrible state as it is, don't make it even worse if you can.


----------



## Arctucas (Jan 19, 2019)

Seems phishy to me...


----------



## EarthDog (Jan 19, 2019)

95Viper said:


> However, how many everyday users really use such. A lot, probably, have not heard of, or do not understand such.


OT... but at least at OCF, I was surprised how many users 'hid' behind a VPN. Now, it isnt a lot...but it was a lot more than I would have ever expected.


----------



## Vayra86 (Jan 19, 2019)

95Viper said:


> Yep, I question anything to do with someone wanting to collect data like this,
> You go to that site... he logs your IP, you input your e-mail address.  Now, you input your password to check it... and, remember, still got your IP.
> They now have two lists.  An e-mail one with IPs and a password list with IPs.
> Compare the data;  and, just match date, time, email addresses (& IPs), with Password (& IPs).
> ...



Take the effort to click on a few tabs on that site and you get indepth API info, code to use and implement, etc. Ive seen my share of scammy sites but this is not how those tend to look. Spotless English clearly written by a native speaker, and accurate results one can recognize without exceptions. The API works.

This is no BS site. The fact so many of you havent heard of it, to me is honestly stunning, more so than your thoughts of its legitimacy or purpose.

Due diligence pls? Click around a bit and see for yourself ...

Oh its half a decade, I see...
https://en.m.wikipedia.org/wiki/Have_I_Been_Pwned?


----------



## Vya Domus (Jan 19, 2019)

Vayra86 said:


> This is no BS site. The fact so many of you havent heard of it, to me is honestly stunning, more so than your thoughts of its legitimacy or purpose.



Site is legit, go it. Point is, every time something asks to write down your password it's good to instinctively not do it. I find it stunning that this isn't the first thought people get. It's absurd to suggest that we should read the source code and all that.


----------



## Solaris17 (Jan 19, 2019)

Vya Domus said:


> Pretty sure that site is bollocks. No matter what random string you write, it will either say its safe or not, but never that it doesn't exist.



This site is not "bollocks" nor is it "some random site".

woops didnt see page 2 beating a dead horse.


----------



## Vayra86 (Jan 19, 2019)

Vya Domus said:


> Site is legit, go it. Point is, every time something asks to write down your password it's good to instinctively not do it. I find it stunning that this isn't the first thought people get. It's absurd to suggest that we should read the source code and all that.



Yeah well. There are lots of services that save passwords in plaintext, whatcha gonna do about that? If your securing is through obscurity you are living an illusion.

The site still cannot associate your passwords to anything but an email address and any service TODAY that does not offer 2FA should be on your shitlist anyway.

What you SHOULD use the password check for is to see whether its a strong password or not. Security means making any breach a 'too much effort' affair, so strong passwords are a nice first line of defense, nothing more and nothing less. They secure you against the most basic level of attacks. After that its up to 2FA.


----------



## Vya Domus (Jan 19, 2019)

Vayra86 said:


> There are lots of services that save passwords in plaintext



As I said previously, if you can, don't take unnecessary risks. Even if your password is stored somewhere in a notepad, you didn't have control over that.


----------



## Vayra86 (Jan 19, 2019)

Vya Domus said:


> As I said previously, if you can, don't take unnecessary risks. Even if your password is stored somewhere in a notepad, you didn't have control over that.



So don't take unnecessary risks, and *before you change your password on a service,* check whether its a safe one that is frequently used in breaches. Or try five of them... I mean, its not hard to get your obscurity back.

You guys act like there are sweat shops full of sweaty nerds sitting there manually typing in passwords. This stuff happens by the large numbers, not individual accounts. And the top passwords tried are those most frequently used - not the ones people may or may not use for their email address on a trusted website.

Seriously, its like I went back in time 10 years over here in this topic. Some of you really haven't got the slightest clue how security and hacks have changed over the past decade. Its all about big data. Even this very topic is entirely about a _massive_ data leak. Not individual accounts, but a massive scoop up of millions of them. Its the numbers that determine the success rate, even if you hack 1% you're sitting on a goldmine.


----------



## Vya Domus (Jan 19, 2019)

Vayra86 said:


> check whether its a safe one that is frequently used in breaches.



Sorry but that's an absolutely terrible advice. Rather than checking somewhere if your password was used or not in a breach, do yourself a favor and use a new one.


----------



## Vayra86 (Jan 19, 2019)

Vya Domus said:


> Sorry but that's an absolutely terrible advice. Rather than checking somewhere if your password was used or not, do yourself a favor and use a new one.



Mate, there _are no safe passwords_. Just varying degrees of how quickly they are breached. So if you find one that hasn't been breached yet in known hacks, you've got the highest assurance you can have that its safe. That is why companies deploy 2FA.

Like I edited in previous post, you have a security mindset of ten years ago.


----------



## Vya Domus (Jan 19, 2019)

You could have checked your password a million times, that wont decrease the chances it will find it's way into the next breach one bit.


----------



## Vayra86 (Jan 19, 2019)

Vya Domus said:


> You could have checked your password a million times, that wont decrease the chances it will find it's way into the next breach one bit.



Depends on what breach you speak of. If its one of data mined or hacked credentials then no. But if its about working with known frequently used ones, then for sure the checker is decreasing your chances. But most of all its for entertainment purposes. Was your 'original' password really that original? Pretty interesting for that.

It also doesn't defeat the point I was making. Passwords are not a guarantee of security ever, anywhere.


----------



## Vya Domus (Jan 19, 2019)

Vayra86 said:


> But if its about working with known frequently used ones, then for sure the checker is decreasing your chances.



If you've gotten to the point where you need to check that, you've already got a problem. If anything by insisting to use the same passwords, even if they are safe up until now, you're just increasing the number of places from which breaches can occur.

This is a solution to an already ill-posed problem. Breaches are out of your control, best you can do is use new passwords and multi-factor authentications as you said.


----------



## Vayra86 (Jan 19, 2019)

Vya Domus said:


> If you've gotten to the point where you need to check that, you've already got a problem.



In my personal case, I never knew my stuff was compromised until I put in my email address on the website. Then I found the news articles about Evony and DDO breaches in which my data was contained.

The main goal here I think is _awareness._


----------



## 95Viper (Jan 19, 2019)

Vayra86 said:


> Take the effort to click on a few tabs on that site and you get indepth API info, code to use and implement, etc. Ive seen my share of scammy sites but this is not how those tend to look. Spotless English clearly written by a native speaker, and accurate results one can recognize without exceptions. The API works.
> 
> This is no BS site. The fact so many of you havent heard of it, to me is honestly stunning, more so than your thoughts of its legitimacy or purpose.
> 
> ...



I already did my due diligence. This was before I formed my own opinion.  I had, already, read up on Troy Hunt  and, the company he joined with (He actually purchased the 1password subscription service); and, I still have my same conclusion and opinion of it.

I have not stated anything as fact, just my personal opinion.
And, you are free to have/express your opinion on the topic, too.


----------



## Lorec (Feb 5, 2019)

tomasstatkus said:


> Looks like my passwords are ok


good for You  did You even read whole  thread?


----------

