Leaked database exposes 87GB of emails and passwords

midian182

Posts: 9,632   +120
Staff member
What just happened? One of the largest collections of leaked user login credentials has appeared. Security researcher Troy Hunt has highlighted “Collection #1,” a set of records made up of 773 million unique email addresses and 21 million unique passwords.

Hunt, who maintains the ‘Have I been pwned’ website that shows if an email appears in a breach, writes that Collection #1 is made up of 2,692,818,238 rows of email addresses and passwords across 12,000 separate files. The 87GB of data had briefly been accessible on cloud service Mega and is now on “a popular hacking forum.”

The data is an aggregation of over 2000 breached databases in which the password hashing has been cracked. Its size makes it the second largest breach after the Yahoo incident that affected 3 billion customers.

"What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see."

The biggest risk to arise from leaks like these comes from people reusing the same login credentials across multiple sites, thereby allowing hackers to access their accounts. It’s yet another example of why you should use a password manager such as LastPass.

Hunt has added all the emails from Collection #1 to Have I been Pwned, so you can find out if your address appears on this list or any others. You can even safely search for any of your commonly used passwords to see if they’ve also been compromised.

Image credit: Eviart via shutterstock

Permalink to story.

 
Well, here's proof once again that it doesn't matter how "hard to guess" your password is - just how secure the website is that you are a member of...

Shockingly, one of my passwords is actually "safe" :)

Just curious. How safe is the cloud? I don't use it myself but loads of people do.
 
I searched for several email addresses and I found none that I currently use.

I cannot agree with a password manager. Personally, I do not think that any site is entirely secure and having all my passwords in a central location like that that is online is a hack waiting to happen.

What I have started doing recently is using a pass phrase. One of mine is 51 characters long. I have no control over how that is stored on a web site, however, I can tell you that outside of web site software that has some hidden exploit, anything less than the fabled quantum computer will have difficulty guessing any of my pass phrase passwords.

To me the haveibeenpwned web site looks like it is trying to convince people that they should be using yet another online password manager - https://1password.com/haveibeenpwned/ In other words, haveibeenpwned seems like it is a site designed by those wanting to market 1password's services. If it were non-profit or something like that, I might trust it more; but then again, it did not find the e-mail addresses I searched for. Call me paranoid, but I don't trust the password search.
 
...
I cannot agree with a password manager. Personally, I do not think that any site is entirely secure and having all my passwords in a central location like that that is online is a hack waiting to happen.

What I have started doing recently is using a pass phrase..
Can't agree more.
 
I cannot agree with a password manager. Personally, I do not think that any site is entirely secure and having all my passwords in a central location like that that is online is a hack waiting to happen.
Password managers (if done right) can be extremely secure. LastPass has been targeted tons of times and there's even reports that one or two hacks were successful. The thing is, all they got was junk data that's encrypted which doesn't do them any good. Even the world's most powerful computers today cannot crack AES 256 encryption. It's what the US government uses as a standard as well. LastPass does it right. They encrypt traffic on both sides meaning the password and data is never "out there" to be grabbed in an unencrypted state. I've seen multiple reports where security experts got to review LastPass' technology and they agreed it's well designed.

What I have started doing recently is using a pass phrase. One of mine is 51 characters long.
If your passwords are somehow unique to each separate website and there isn't some easy to determine pattern to them, then good for you for remembering so many without a password manager. I would guess however that this means you have a system to it and if somebody stole one of your passwords and figured out your system, they could still use it to unlock your account on other websites. With LastPass, I'm generating completely randomized passwords with a max length of whatever each website lets me do. If you don't like LastPass, I recommend BitWarden who also seems to be awesome on security. I trust both.

To me the haveibeenpwned web site looks like it is trying to convince people that they should be using yet another online password manager - https://1password.com/haveibeenpwned/
Yes, I'm sure they take advertising offers to raise funding to help keep the site running. You are free to ignore ads on any website... You can't hold this against them or use it to say their information they provide is wrong because of it.
 
Last edited:
If your passwords are somehow unique to each separate website and there isn't some easy to determine pattern to them, then good for you for remembering so many without a password manager. I would guess however that this means you have a system to it and if somebody stole one of your passwords and figured out your system, they could still use it to unlock your account on other websites. With LastPass, I'm generating completely randomized passwords with a max length of whatever each website lets me do. If you don't like LastPass, I recommend BitWarden who also seems to be awesome on security. I trust both.
What I do is consistent with the latest password guidelines. Psychologically, the older guidelines - such as capital letters, numbers, characters, etc., are nearly impossible to remember; thus, the need for things like password managers. TechSpot ran an article about the new guidelines - https://www.techspot.com/news/70492-man-who-came-up-password-rules-all-hate.html

Phrases, however, are easy to remember, pretty much for everyone. What I do is makeup a phrase that may or may not relate to the site - though that association makes it easier to remember. The association is not the same for each site, and the phrase is different for each site. In each case, the phrase is meaningful to me which also helps to make it memorable.

These guidelines are consistent with techniques that are known to improve memory.

That said, there is always that password recovery button.

Many sites still implement the old rules. As I see it, that is biggest thing that stands in the way of wide-spread acceptance of the new rules. I have a nearly 30-character passphrase for one site yet it still requires special characters. Anyway, I suggest reading the TS article at the link.

Yes, I'm sure they take advertising offers to raise funding to help keep the site running. You are free to ignore ads on any website... You can't hold this against them or use it to say their information they provide is wrong because of it.
Actually, the site is run by a M$ regional VP, Troy Hunt, who does speaking engagements. Sure, he can sell advertising on his site to keep it going. However, I still do not trust it. Call me paranoid, but exploitation comes in some surprising packages and the worst of those sometimes arise from the least expected places. I prefer the better safe than sorry approach.

That said, I am sure the guy who runs the site is aware of these new password recommendations. The passwords that these password manager sites generate, while they maybe hard to crack, are impossible to remember. They also maintain consistency with the old password rules thus prolonging their use even though they are considered archaic ATM. If he had a link to the new guidelines or even the new guidelines on the site, itself, I would be more trusting, however, I poked around a bit and did not find any reference to these new guidelines. If I wanted to get extreme about it, I would call it a co-dependent relationship.

Like @Squid Surprise said, however, the security of a site is ultimately up to how well security is implemented in that site. Any password on a site with poor security, no matter whether it adheres to the old guidelines or the new guidelines, will not necessarily survive poorly implemented security.
 
I cannot agree with a password manager. Personally, I do not think that any site is entirely secure and having all my passwords in a central location like that that is online is a hack waiting to happen.
Password managers (if done right) can be extremely secure.
Exactly this. LastPass to me is perfectly fine but to add, if you are just paranoid about online password managers, then use KeePass. It's completely offline and therefore the database is completely under your control. In addition, it recently was audited. Even more, EU is now offering bounties for any bugs found in KeePass.

Website
https://keepass.info/

Audit News
https://joinup.ec.europa.eu/news/eu-fossa-project-submits-resu

Bug Bounties by the EU
https://www.techspot.com/news/78051-eu-fund-bug-bounties-open-source-projects-including.html
https://www.intigriti.com/public/project/keepass/keepassbyec

There is also a KeePass fork for Linux called KeePassX. Do note that there are missing features in the Linux port. And if I'm correct, it also does not offer newer encryption algorithms for the database such as ChaCha20 or the new key derivation function Argon2. It does, however, support Twofish out of the box unlike vanilla KeePass which relies on third-party plug-ins for Twofish.

Linux Port
https://www.keepassx.org/
 
Exactly this. LastPass to me is perfectly fine...
I'll second LastPass.

...if you are just paranoid about online password managers, then use KeePass. It's completely offline and therefore the database is completely under your control.
And just to add to this, the db being under your control means you MUST have a Disaster Recovery Plan, or your N+1, even then the cloud is still the safest place where you can actually store it, you would probably need to pair it with a cloud backup solution to not have an outdated database in case the worst come to pass.
 
Huh, my junk email address was pwned once on a site I've never used (Dailymotion). ??
My regular email not pwned at all.
My ancient work email pwned at Adobe and Dropbox, which I already knew.

Fun!
 
My yahoo was compromised back when... but my gmail shows up on this site... however I think it thinks I use the same password on my gmail as I do on rando websites that I use my gmail as my send to email. Which I do not. I have a password for rando sites, a password for my main email, a pass for my crap email and a password for financial.
 
For some reason I read it as "exposes 87GB of Femails" 0.0 My curiosity y spiked high but then went down abruptly when I realized my mistake.
 
Back