New Massive Security Breach Exposes 773 Million Passwords

New Massive Security Breach Exposes 773 Million Passwords

Security researcher Troy Hunt, who maintains the website Have I Been Pwned for those who want to know if their email address and/or passwords have been compromised in any security breaches (spoiler alert: Yup) has released a report on a truly massive breach of some 773 million records. Even worse, that’s actually the net impact after Hunt attempted to strip the data set of duplicates and useless fields that didn’t actually contain email addresses or associated passwords.

The monster data dump goes by the prosaic “Collection #1” and contains 1.16B unique combinations of email addresses and passwords, but only 772 million unique email addresses. It’s the largest data dump to ever be loaded into Have I Been Pwned, and it represents a sort of meta-breach collection rather than the results of any single security exploit or corporate security shortfall.

The data in the breach comes from a variety of sources and Hunt stresses that not all of the ‘breaches’ have been verified, which is to say that not every database claimed to be represented in the hack may actually be represented in the hack. If you’ve ever explored the leaked material around your own email address, you’ve probably realized that not every leak contains accurate information — while I’ve seen my own email associated with passwords that I’ve used in the past, I’ve also seen emails I’ve used associated with passwords I’ve never used with those accounts.

A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.
A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.

Hunt’s blog post contains instructions for how visitors can use Have I Been Pwned, as well as its companion application, Pwned Passwords. You can not only search for your email address to see if it’s been breached, but you can also check to see if your password has been seen. Hunt also discusses the ethical implications of creating a website where people check to see if their passwords have been leaked by entering them — check his blog post for more of his thoughts on the topic. It’s not crazy to have concerns about this issue, but the benefits may outweigh the risks.

The scale of Collection #1 is huge — by size alone, it’s one of the largest breaches in history, behind the massive Yahoo security failures. But it also contains roughly 140 million unique email accounts and 10 million unique passwords according to Hunt, with the passwords themselves in plaintext rather than circulating as uncracked cryptographic hashes.

This type of massive data breach is typically used in a credential stuffing attack rather than a targeted attempt to breach specific companies or individuals. Credential stuffing is exactly what it sounds like — pair up email addresses and passwords and attempt to use them to gain access to user accounts. Because people tend to re-use credentials across many sites and may not change passwords for months or years at a time, it can be surprisingly easy to gain access to accounts.

If you’ve been affected by this breach and your password has leaked, we strongly recommend changing it on all of the sites affected. A service like a password manager may also be an effective way to keep a strong set of passwords with stronger overall security than a mnemonic device or a shorter set of random numbers and letters.

Continue reading

Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million
Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million

Going forward, Apple's customary 30 percent cut of sales on the iOS platform will drop to just 15 percent for smaller developers. Epic, however, claims this is just an attempt to split the developer community.

There Are Still 100 Million PCs Running Windows 7
There Are Still 100 Million PCs Running Windows 7

Microsoft officially ended update support for Windows 7 last year, but millions of PCs are still running this software of yesteryear. According to long-time Microsoft reporter Ed Bott, that number is probably north of 100 million a year after the end of support.

Google Slashes Play Store Fees for Developers Making Less Than $1 Million
Google Slashes Play Store Fees for Developers Making Less Than $1 Million

Google has followed Apple's lead in announcing a new, lower revenue split for all earnings under $1 million per year. Instead of paying 30 percent of every sale, developers in this category only pay 15 percent.

Man Blames Apple After iPhone Scam App Steals $1 Million in Bitcoin
Man Blames Apple After iPhone Scam App Steals $1 Million in Bitcoin

He made the mistake of downloading an app from the iOS App Store. In the blink of an eye, his fortune was gone, and he blames Apple.