773 Million Credentials Leaked

[Regeneration]

A huge database of logins/passwords was leaked to MEGA a few days ago. Stolen from multiple hacked sources.

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources.

Source

How to check if yours is among them: https://haveibeenpwned.com

 

[EarthDog]

Wth is this?

The fornite thing?

That link does nothing...lol

 

[biffzinker]

Wth is this?

The fornite thing?

"Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources."
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

 

[IceScreamer]

My mail is on the list, but my password isn't, so that's at least something.

 

[biffzinker]

but my password isn't

NIST's guidance: check passwords against those obtained from previous data breaches

The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords and version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M.

https://haveibeenpwned.com/Passwords

 

[Vya Domus]

Pretty sure that site is bollocks. No matter what random string you write, it will either say its safe or not, but never that it doesn't exist.

 

[moproblems99]

Could it be that safe means it isn't in there?

 

[Vya Domus]

Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.

 

[biffzinker]

Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.

An explanation of how it works is available.

Cloudflare, Privacy and k-Anonymity - https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

 

[IceScreamer]

https://haveibeenpwned.com/Passwords

It has been changed last month.

 

[eidairaman1]

Also, I would refrain myself from using that password checker thing. It's quite ironic that it is this easy to get people to write their passwords randomly on some site.

I wonder if OPs TPU account has been Pawned.

Looks like a Phishy in a Pharm

 

[Bones]

Agreed - Don't think hackers haven't noticed and neglected to "Get busy" with it.
Could be this is something setup to farm addys and passwords YOU give, making it easy for them to get.

I don't like the looks of it myself.

 

[hat]

I concur. It hardly seems professional.

However, it's worth mentioning that evidently the password "jibbajabbajoo" is safe! Let's all use it.

 

[eidairaman1]

I concur. It hardly seems professional.

However, it's worth mentioning that evidently the password "jibbajabbajoo" is safe! Let's all use it.

Or shaqfuisgreat

 

[Regeneration]

The website is legit. It checks if your email address exists on the latest database and previous breaches.

 

[rtwjunkie]

Agreed - Don't think hackers haven't noticed and neglected to "Get busy" with it.
Could be this is something setup to farm addys and passwords YOU give, making it easy for them to get.

I don't like the looks of it myself.

No. What the site does is list websites you are or have been a member of who had data breaches. That’s the thing, it’s old and new. Some people will only have former breaches.

For instance, I was on half a dozen sites that were data breaches at one time. For example, NexusMods. That was about 4 years ago, and everyone that paid attention to their notifications changed their login info and passwords. The site is thus one of mine listed because it is associated with the email addy I input. It doesn’t mean people are currently breached.

People that pay attention and correct these things as websites warn them can input the email you use for sign ins and see that the only things listed are issues that have since been corrected.

Those that it shows a current problem, well then you might be asking why that associated website hasn’t warned you yet.

 

[Vayra86]

How to check if yours is among them: https://haveibeenpwned.com

Are people here seriously questioning the legitimacy of haveibeenpwned.com? Wow... The site has only been around for over a decade doing the exact same thing. Good morning!

Same here wrt NexusMods, and my data was also leaked through Dungeons & Dragons Online. And yes, since those leaks, I get the occasional login on random accounts elsewhere for which I haven't bothered to change passwords. 2FA is my savior

 

[95Viper]

Are people here seriously questioning the legitimacy of haveibeenpwned.com? Wow... The site has only been around for over a decade doing the exact same thing. Good morning!

Yep, I question anything to do with someone wanting to collect data like this,
You go to that site... he logs your IP, you input your e-mail address. Now, you input your password to check it... and, remember, still got your IP.
They now have two lists. An e-mail one with IPs and a password list with IPs.
Compare the data; and, just match date, time, email addresses (& IPs), with Password (& IPs).
Just compiled me a nice list of possibilities.

Just my opinion.

Also, I am skeptical, too... looks like a scare tactic to get subscribers for his password manager.

 

[R0H1T]

Well there's always vpn, proxy, TOR & other alternatives if you don't want to be tracked/traced personally.

 

[rtwjunkie]

Yep, I question anything to do with someone wanting to collect data like this,
You go to that site... he logs your IP, you input your e-mail address. Now, you input your password to check it... and, remember, still got your IP.
They now have two lists. An e-mail one with IPs and a password list with IPs.
Compare the data; and, just match date, time, email addresses (& IPs), with Password (& IPs).
Just compiled me a nice list of possibilities.

Just my opinion.

Also, I am skeptical, too... looks like a scare tactic to get subscribers for his password manager.

You are spreading FUD, which as a moderator you definitely should know not to do.

Simple answer is don’t check any passwords with the site. You should be changing all your passwords regularly anyway. It’s just an informational tool that confirms sites you’ve been on that were breached at one time (and hopefully you fixed those logins back then) and (hopefully not) any currently breached sites you belong to. It does this with the email addy that you use for site registrations (hopefully you use an unimportant one).

The site is just informational, and as @Vayra86 said has been providing this service for many years.

 

[95Viper]

Well there's always vpn, proxy, TOR & other alternatives if you don't want to be tracked/traced personally.

True.
However, how many everyday users really use such. A lot, probably, have not heard of, or do not understand such.

You are spreading FUD, which as a moderator you definitely should know not to do.

Simple answer is don’t check any passwords with the site. You should be changing all your passwords regularly anyway. It’s just an informational tool that confirms sites you’ve been on that were breached at one time (and hopefully you fixed those logins back then) and (hopefully not) any currently breached sites you belong to. It does this with the email addy that you use for site registrations.

The site is just informational, and as @Vayra86 said has been providing this service for many years.

No FUD, just my opinion of a possiblility.
Vayra86 brought up the question; so yes, I answered Vayra86 and I am seriously questioning it.

Simple answer... I did not and have not used the site!
And, I agree, that a password should be change regularly, or, when you have doubt/suspicion.

And, personally, I do not care if the site has been there since day one.

 

[Vya Domus]

That's not FUD, it's the least bit of common sense you can apply to these things. Online security in general is in a horrible state as it is, don't make it even worse if you can.

 

[Arctucas]

Seems phishy to me...

 

[EarthDog]

However, how many everyday users really use such. A lot, probably, have not heard of, or do not understand such.

OT... but at least at OCF, I was surprised how many users 'hid' behind a VPN. Now, it isnt a lot...but it was a lot more than I would have ever expected.

 

[Vayra86]

Yep, I question anything to do with someone wanting to collect data like this,
You go to that site... he logs your IP, you input your e-mail address. Now, you input your password to check it... and, remember, still got your IP.
They now have two lists. An e-mail one with IPs and a password list with IPs.
Compare the data; and, just match date, time, email addresses (& IPs), with Password (& IPs).
Just compiled me a nice list of possibilities.

Just my opinion.

Also, I am skeptical, too... looks like a scare tactic to get subscribers for his password manager.

Take the effort to click on a few tabs on that site and you get indepth API info, code to use and implement, etc. Ive seen my share of scammy sites but this is not how those tend to look. Spotless English clearly written by a native speaker, and accurate results one can recognize without exceptions. The API works.

This is no BS site. The fact so many of you havent heard of it, to me is honestly stunning, more so than your thoughts of its legitimacy or purpose.

Due diligence pls? Click around a bit and see for yourself ...

Oh its half a decade, I see...
https://en.m.wikipedia.org/wiki/Have_I_Been_Pwned?