Posted on 04/26/2021 9:34:09 AM PDT by Red Badger
A staggering number of 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed in what's one of the largest data dumps of breached usernames and passwords.
In addition, the leak includes 1,502,909 passwords associated with email addresses from government domains across the world, with the U.S. government alone taking up 625,505 of the exposed passwords, followed by the U.K (205,099), Australia (136,025), Brazil (68,535), and Canada (50,726).
The findings come from an analysis of a massive 100GB data set called "COMB21" — aka Compilation of Many Breaches — that was published for free in an online cybercrime forum earlier this February by putting together data from multiple leaks in different companies and organizations that occurred over the years.
It's worth noting that a leak doesn't imply a breach of public administration systems. The passwords are said to have been obtained via techniques such as password hash cracking after being stolen or through phishing attacks and eavesdropping on insecure, plaintext connections.
The top 10 U.S. government domains affected by the leak are as follows:
State Department - state.gov (29,144) Veterans Affairs Department - va.gov (28,937) Department of Homeland Security - dhs.gov (21,575) National Aeronautics and Space Administration - nasa.gov (15,665) Internal Revenue Service - irs.gov (10,480) Center for Disease Control and Prevention - cdc.gov (8,904) Department of Justice - usdoj.gov (8,857) Social Security Administration - ssa.gov (8,747) U.S. Postal Service - usps.gov (8,205), and Environmental Protection Agency - epa.gov (7,986) Interestingly, this leak also includes 13 credentials linked to emails of the Oldsmar water plant in Florida, as previously reported by CyberNews. However, there's no evidence that the breached passwords were used to carry out the cyberattack in February. In contrast, only 18,282 passwords related to Chinese government domains and 1,964 passwords from those related to Russia were laid bare.
"It is an indication that the passwords in these countries, made up of local alphabets, are less targeted by hackers. It is an unexpected layer of protection in relation to the Roman alphabet," said Syhunt Founder and Chief Visionary Officer (CVO) Felipe Daragon.
On a related note, a notorious threat actor named ShinyHunters has posted an alleged database consisting of 20 million BigBasket users for free, almost five months after the Indian online grocery delivery startup confirmed a data breach. According to Under the Breach's Alon Gal, the database includes users' email addresses, phone numbers, residential addresses, hashed passwords, dates of birth, and order histories.
In the past, ShinyHunters has been connected to the sale of personal data from several companies, including Zoosk, SocialShare, Tokopedia, TeeSpring, Mindful, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, MeetMindful.com, and StarTribune.
Users who have had their information exposed are strongly advised to change their existing passwords.
Pingy! Ping! Ping!..................
That’s amazing! I have the same combination on my luggage.
No plain passwords should stored anymore. High entropy salted hashes should be the case for quite some time now. Guessing these exposed passwords are from old systems.
OLD OLD story.
“Guessing these exposed passwords are from old systems.”
A google search reveals the whole story:
https://www.tomsguide.com/news/3-2-billion-passwords-leaked
Didn’t even read the excerpt?
“The passwords are said to have been obtained via techniques such as password hash cracking”
This was very bad “Report: Chinese hackers stole data from up to 4 million Federal Employees”
https://freerepublic.com/focus/f-news/3296974/posts?page=1
CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second. This only works for "unsalted" hashes. For information on password hashing systems that are not vulnerable to pre-computed lookup tables, see our hashing security page.
Crackstation's lookup tables were created by extracting every word from the Wikipedia databases and adding with every password list we could find. We also applied intelligent word mangling (brute force hybrid) to our wordlists to make them much more effective. For MD5 and SHA1 hashes, we have a 190GB, 15-billion-entry lookup table, and for other hashes, we have a 19GB 1.5-billion-entry lookup table.
Two Factor Authentication may be aggravating but is probably a good thing to do.
Most of these passwords are stored on web servers.
This is not about local client storage of passwords.
Unix/Linux makes up 60% of all web servers.
I use TFA all the time (at least where it is available). It is a pain, but it is obviously secure because you have to have 1) Something you KNOW and 2) Some physical thing you HAVE.
I also use a YubiKey USB key. It’s a tiny USB device that you plug into any USB port. It is also the physical thing you HAVE and it provides strong security. I’ve switched away from it more and more and use my phone for TFA.
Said salted.
+1
...on Biden’s watch.
What is a salted hash please?
Thanks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.