1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Leaked database exposes 87GB of emails and passwords

By midian182 · 19 replies
Jan 17, 2019
Post New Reply
  1. Hunt, who maintains the ‘Have I been pwned’ website that shows if an email appears in a breach, writes that Collection #1 is made up of 2,692,818,238 rows of email addresses and passwords across 12,000 separate files. The 87GB of data had briefly been accessible on cloud service Mega and is now on “a popular hacking forum.”

    The data is an aggregation of over 2000 breached databases in which the password hashing has been cracked. Its size makes it the second largest breach after the Yahoo incident that affected 3 billion customers.

    "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see."

    The biggest risk to arise from leaks like these comes from people reusing the same login credentials across multiple sites, thereby allowing hackers to access their accounts. It’s yet another example of why you should use a password manager such as LastPass.

    Hunt has added all the emails from Collection #1 to Have I been Pwned, so you can find out if your address appears on this list or any others. You can even safely search for any of your commonly used passwords to see if they’ve also been compromised.

    Image credit: Eviart via shutterstock

    Permalink to story.

  2. Squid Surprise

    Squid Surprise TS Evangelist Posts: 2,546   +1,537

    Well, here's proof once again that it doesn't matter how "hard to guess" your password is - just how secure the website is that you are a member of...

    Shockingly, one of my passwords is actually "safe" :)
    wiyosaya, jobeard and Underdog like this.
  3. Underdog

    Underdog TS Addict Posts: 106   +58

    Just curious. How safe is the cloud? I don't use it myself but loads of people do.
  4. wiyosaya

    wiyosaya TS Evangelist Posts: 3,993   +2,291

    I searched for several email addresses and I found none that I currently use.

    I cannot agree with a password manager. Personally, I do not think that any site is entirely secure and having all my passwords in a central location like that that is online is a hack waiting to happen.

    What I have started doing recently is using a pass phrase. One of mine is 51 characters long. I have no control over how that is stored on a web site, however, I can tell you that outside of web site software that has some hidden exploit, anything less than the fabled quantum computer will have difficulty guessing any of my pass phrase passwords.

    To me the haveibeenpwned web site looks like it is trying to convince people that they should be using yet another online password manager - https://1password.com/haveibeenpwned/ In other words, haveibeenpwned seems like it is a site designed by those wanting to market 1password's services. If it were non-profit or something like that, I might trust it more; but then again, it did not find the e-mail addresses I searched for. Call me paranoid, but I don't trust the password search.
    Digitalzone and Dimitrios like this.
  5. fktech

    fktech TS Maniac Posts: 526   +138

    I'm shocked, not!
  6. jobeard

    jobeard TS Ambassador Posts: 12,891   +1,530

    Can't agree more.
    Dimitrios and wiyosaya like this.
  7. OutlawCecil

    OutlawCecil TS Guru Posts: 679   +495

    Password managers (if done right) can be extremely secure. LastPass has been targeted tons of times and there's even reports that one or two hacks were successful. The thing is, all they got was junk data that's encrypted which doesn't do them any good. Even the world's most powerful computers today cannot crack AES 256 encryption. It's what the US government uses as a standard as well. LastPass does it right. They encrypt traffic on both sides meaning the password and data is never "out there" to be grabbed in an unencrypted state. I've seen multiple reports where security experts got to review LastPass' technology and they agreed it's well designed.

    If your passwords are somehow unique to each separate website and there isn't some easy to determine pattern to them, then good for you for remembering so many without a password manager. I would guess however that this means you have a system to it and if somebody stole one of your passwords and figured out your system, they could still use it to unlock your account on other websites. With LastPass, I'm generating completely randomized passwords with a max length of whatever each website lets me do. If you don't like LastPass, I recommend BitWarden who also seems to be awesome on security. I trust both.

    Yes, I'm sure they take advertising offers to raise funding to help keep the site running. You are free to ignore ads on any website... You can't hold this against them or use it to say their information they provide is wrong because of it.
    Last edited: Jan 17, 2019
  8. p51d007

    p51d007 TS Evangelist Posts: 1,966   +1,230

    So, if you enter a password into this site and it gets hacked...
    George Keech and wiyosaya like this.
  9. wiyosaya

    wiyosaya TS Evangelist Posts: 3,993   +2,291

    What I do is consistent with the latest password guidelines. Psychologically, the older guidelines - such as capital letters, numbers, characters, etc., are nearly impossible to remember; thus, the need for things like password managers. TechSpot ran an article about the new guidelines - https://www.techspot.com/news/70492-man-who-came-up-password-rules-all-hate.html

    Phrases, however, are easy to remember, pretty much for everyone. What I do is makeup a phrase that may or may not relate to the site - though that association makes it easier to remember. The association is not the same for each site, and the phrase is different for each site. In each case, the phrase is meaningful to me which also helps to make it memorable.

    These guidelines are consistent with techniques that are known to improve memory.

    That said, there is always that password recovery button.

    Many sites still implement the old rules. As I see it, that is biggest thing that stands in the way of wide-spread acceptance of the new rules. I have a nearly 30-character passphrase for one site yet it still requires special characters. Anyway, I suggest reading the TS article at the link.

    Actually, the site is run by a M$ regional VP, Troy Hunt, who does speaking engagements. Sure, he can sell advertising on his site to keep it going. However, I still do not trust it. Call me paranoid, but exploitation comes in some surprising packages and the worst of those sometimes arise from the least expected places. I prefer the better safe than sorry approach.

    That said, I am sure the guy who runs the site is aware of these new password recommendations. The passwords that these password manager sites generate, while they maybe hard to crack, are impossible to remember. They also maintain consistency with the old password rules thus prolonging their use even though they are considered archaic ATM. If he had a link to the new guidelines or even the new guidelines on the site, itself, I would be more trusting, however, I poked around a bit and did not find any reference to these new guidelines. If I wanted to get extreme about it, I would call it a co-dependent relationship.

    Like @Squid Surprise said, however, the security of a site is ultimately up to how well security is implemented in that site. Any password on a site with poor security, no matter whether it adheres to the old guidelines or the new guidelines, will not necessarily survive poorly implemented security.
  10. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,766   +1,160

    @OutlawCecil Up you go mate.

    As long as they don't have the username I could even give you a bunch of the passwords I use and you would still be unable to do anything with them.
    OutlawCecil likes this.
  11. Silvernine

    Silvernine TS Enthusiast Posts: 46   +40

    Exactly this. LastPass to me is perfectly fine but to add, if you are just paranoid about online password managers, then use KeePass. It's completely offline and therefore the database is completely under your control. In addition, it recently was audited. Even more, EU is now offering bounties for any bugs found in KeePass.


    Audit News

    Bug Bounties by the EU

    There is also a KeePass fork for Linux called KeePassX. Do note that there are missing features in the Linux port. And if I'm correct, it also does not offer newer encryption algorithms for the database such as ChaCha20 or the new key derivation function Argon2. It does, however, support Twofish out of the box unlike vanilla KeePass which relies on third-party plug-ins for Twofish.

    Linux Port
    Digitalzone and Kibaruk like this.
  12. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,766   +1,160

    I'll second LastPass.

    And just to add to this, the db being under your control means you MUST have a Disaster Recovery Plan, or your N+1, even then the cloud is still the safest place where you can actually store it, you would probably need to pair it with a cloud backup solution to not have an outdated database in case the worst come to pass.
    Silvernine likes this.
  13. Lew Zealand

    Lew Zealand TS Guru Posts: 673   +573

    Huh, my junk email address was pwned once on a site I've never used (Dailymotion). ??
    My regular email not pwned at all.
    My ancient work email pwned at Adobe and Dropbox, which I already knew.

  14. treetops

    treetops TS Evangelist Posts: 2,565   +552

    My yahoo was compromised back when... but my gmail shows up on this site... however I think it thinks I use the same password on my gmail as I do on rando websites that I use my gmail as my send to email. Which I do not. I have a password for rando sites, a password for my main email, a pass for my crap email and a password for financial.
  15. toooooot

    toooooot TS Evangelist Posts: 821   +405

    For some reason I read it as "exposes 87GB of Femails" 0.0 My curiosity y spiked high but then went down abruptly when I realized my mistake.
    OutlawCecil likes this.
  16. gamerk2

    gamerk2 TS Maniac Posts: 254   +159

    As safe as anything else connected to the internet.
  17. Raytrace3D

    Raytrace3D TS Addict Posts: 110   +109

    Locks are for honest people
    jobeard likes this.
  18. NightAngel79

    NightAngel79 TS Addict Posts: 205   +58

    Have I been pawned website? Is that a place to look for the DVD's that crack head stole and sold?
  19. Bats Dude

    Bats Dude TS Rookie Posts: 26

    Now I am seriously curious. Just how does Techspot protect us? Hmmm...
  20. Swifty

    Swifty TS Rookie

    So my password123 has been compromised? Ugh.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...