back to article Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

Infosec researcher Troy Hunt has revealed that more than 700 million email addresses have been floating around “a popular hacker forum” - along with a very large number of plain text passwords. The data dump, which Hunt has uploaded to his Have I Been Pwned site for people to check if they’re included, comprises “1,160,253,228 …

  1. Anonymous South African Coward Silver badge

    Meh

    my gmail addy haz been pwned :(

    sad panda

    1. Lee D Silver badge

      Stop using one email address.

      Buy a domain. Make a new address at that domain for each service. If a service is compromised, throw it away / block it, and use another.

      Have them all redirect to... whatever you want. Like a GMail. If that gets compromised, you just point the domain at a fresh account and you don't have to go and change everything.

      Costs pennies a year. Takes about 20 minutes to set up even in the worst case. Gives you infinite email addresses (and ones to put in spam forms that you have to supply an email). Let's you keep the same emails on services forever, and change to whatever provider you like at any time.

      1. Lee D Silver badge

        As a demo, HaveIBeenPwned also lets you search for anything@yourdomainname.

        I get the following:

        The address I use to report brokenlinks on my website.

        The address I use as complete junk that doesn't even deliver any more (just bounces anything incoming email with a rude server message)

        About 14 variations of the above junk (with appended letters, cut-off short, etc. so obviously lots of spam software suffers from off-by-ones!)

        A handful of addresses given to companies that were compromised (including places like Kickstarter, SolarWinds, 1&1 and Macromedia).

        Two addresses used to sign up on forums I used to frequent.

        Two addresses used on public Usenet mailing lists

        20-30 literal made up rubbish that has never existed at my domain (more off-by-ones, e.g. "real" usernames that are alphabetically close to addresses that do exist, but not at my domain).

        Most of these things are just everyday compromises of forums and stuff, and using one GMail address to sign up for them all is just asking for trouble. Presumably at least some of those accounts had their passwords compromised too, not just the email address.

        These people can't be trusted to keep your account information secure from spambots or password compromises. So use unique addresses and passwords, and then manage them all from one place, including terminating them if compromised and not using those companies again.

        1. Jesus45

          Any clue as to what websites/services have been compromised.

          I need to know what passwords i need to change....

          1. Jtom Bronze badge

            Follow tge link in the article. It will tell you.

          2. W.S.Gosset Bronze badge

            > Any clue as to what websites/services have been compromised.

            > I need to know what passwords i need to change....

            HaveIBeenPwned.com

            The site itself is badly laid out. If you're on a laptop, chances are you'll be baffled by seeing nothing more than a single sentence saying you have/have not had N websites/logins pawned.

            You need to scroll down to the bottom. There will be a list of websites pwned, plus dates.

            In my case, I'd already handled them for all my non-spamtrap accounts. Eg, dropbox's crack a few years back, linkedin ditto, etc.

        2. Anonymous Coward
          Anonymous Coward

          Any clue as to what websites logins have been compromised?

          Most of my passwords are unique but a handfull not and they are important.

          i have to know if i need to change my password or not.

      2. Anonymous Coward
        Anonymous Coward

        This is what I did by accident in the 90s. Hadn't realised at the time that I'd improved my security by doing so. It was caused by my e-mail provider shutting my account down in error (Nildram BTW) It only took them a couple of days to bring it back but the fact they'd done it annoyed the hell out of me. So inconvenience was the driver but the result was improved security.

        I now have a few domains, all of which I redirect to gmail etc but it's great knowing that I can swap around whenever I want. Importantly though I never save any password for my domains or e-mail in a password manager, always have multi factor on those as I see them as the crown jewels - anything else can get hacked but those I need to ensure are as secure as I can reasonably make them.

      3. DoctorPaul

        Well worth doing

        Been doing that for years, it's interesting to see which firms have been hacked when the spam starts arriving at their assigned email address :-)

        One point - this approach requires catch-all email forwarding on the server, which some suppliers don't like to provide.

        It also means that you then get all the cr4p sent to randomly generated addresses at your domain - any that turn up more than once I forward to a junk folder.

        1. Lee D Silver badge

          Re: Well worth doing

          You don't need catch-all, just remember to create the address in their management panels before you use it. But even 1&1 and the cheapy 99p domain places don't care how many you have as the number of email aliases doesn't affect a domain host at all, generally.

          The solution for the techy people - make a secret format. For example, have the username (before the @ prefix) contain a number with, say, the number of vowels in the username itself (e.g. fred1, barney2, etc.) or some such way of identifying valid emails you've given out (e.g. just prefix them all like valid_username or somesuch). Then just reject ANYTHING that comes in on a username that's not compliant with whatever policy you've chosen.

          Still unlimited aliases. Still all at your domain. Easy to remember/create. Stops all the spam username-guessing. Can be implemented with a manual filter on the end account.

          Personally, with the above, going to a server under my control, implementing postfix, postgrey (greylisting), Spamhaus and then forwarding to a third-party webmail service the spam I get is zero except to those addresses that I know are spam (e.g. forum signup accounts). Hell, the underlying account gets spammed more than my domain, and that's not EVER been advertised anywhere (I have no need to). Solution: Block all mail directly addressed to the underlying account that wasn't originating from my server. Or just IMAP into your server mailbox direct (but I don't like the thought of running something like SquirrelMail on my own server for web access, to be honest).

    2. W.S.Gosset Bronze badge

      Gmail itself is OK (with caution)

      Gmail itself has tightened up their security very well in the last year or so, now doing sanity-checks on geo-location.

      I discovered this via an alert from Google. I'd got a bit slack with password re-use (and the HaveIBeenPwned site only has a subset of pwned sites) and there'd been various news items re cracks, and due to job-hunting and the egregious blending of databases behind the scenes in modern recruitment firms (you may not be aware that massive mergers mean that when you apply for a job and are mandatorily required to enter your life details and ID details, that then gets immediately spammed through as many as a dozen or more other companies when you hit Save) (And often multiple countries -- quite surprised to discover a govt job app in Australia took me through 3 or 4 countries, finishing in IIRC Portugal).

      I got a warning someone tried to login to a specificuse email with the correct password, from Texas, then just a month or so ago someone on another email likewise from Mt Gravatt, just down the road from me in Brisbane.

      So your actual gmail account itself is probably OK.

      And it serves as a timely reminder to not get lazy with password reuse :)

      Oh, and you ARE subsetting your email by specificuse addresses, right? Free on gmail.

      1. Kiwi Silver badge

        Re: Gmail itself is OK (with caution)

        Gmail itself has tightened up their security very well in the last year or so, now doing sanity-checks on geo-location.

        I discovered this via an alert from Google.

        Nice when it tells you of stuff from out of your city. Not so nice when it says 'Someone from Wellington" and you happen to live in Wellington. Did it just throw a hissy fit when one of the machines polled it, or was it someone else? What's the IP address?

        That would help. Then again, while they say "Wellington" they could mean "Brazil" - Google's claims about my location (even when using a NZ ISP) has not always been known to be within 2,000 miles of where I actually am.

  2. Version 1.0 Silver badge

    So we don't know who posted this list but we do know that everyone says we should start using a password manager ... You think that it's possible that someone at the password manager companies posted the list? Gotta scare the sheeple to buy our products...

    1. Anonymous Coward
      Anonymous Coward

      Way to not read the article or indeed understand this at all. Good luck with your rampaging paranoia.

      1. Anonymous Coward
        Anonymous Coward

        Five down votes from insecure idiots.

    2. Efer Brick

      At ~20 dollarooonies a year, I really don't know how they sleep at night, thieving scumbags.

      1. Jack of Shadows Silver badge

        Password Safe is free, designed by Bruce Schneier and available for Windows, macOS, iOS and Android, even works with YubiKey. I've been using it forever here. The "hardest" part is keeping everyone in sync. Tons of synchronization tools out there for that.

    3. Anonymous Coward
      Anonymous Coward

      because password managers NEVER have vulnerabilties

      ...and will always be patched.... haha...

      Follow the Sheep!

    4. Darren Forster

      I'm afraid selling a password manager doesn't exactly work... possibly one of the best password managers out there is already free of charge, and with an update in Google Chrome it even allows you to create a random password that it stores.

      The password manager is called Google Passwords. If you've got a google account and you've ever told Google to remember a password in Chrome and have Chrome Sync set up just head on over to passwords.google.com - login to your google account and hey presto! there are all the passwords you ever told google to remember for you.

      In reality there is no point in selling password managers because there are that many free ones out there, unless you make your password manager do something extremely flashy then your running against something that is already there.

      Also the better solution to this to save your account from being hacked is to also use 2FA - you can download an app called Authy which will allow you to create 2FA codes easily on your phone, or if you search U2F or Yubi key on Amazon you can pick up a cheap U2F key which adds hardware security to your accounts (a U2F key is a small USB dongle that plugs into the computer when you want to login, after entering your password you then press a button on the dongle and it authenticates your login. The dongle produces a unique code and so to login it ensures you have the device (of course if someone steals the device then they could login but they'd have to also figure out your username and password as well and which accounts the U2F key are for, and hope they can login before you change the U2F key - there are also backup single use codes just in case you lose the device.)

      1. overunder

        A big blob of passwords are found...

        The fix... please create a big blob of your passwords.

        1. Graham Dawson

          Re: A big blob of passwords are found...

          A big encrypted blob.

      2. Byham

        Problem with 2FA is that your telco needs to be told not to allow online reassignment of your number to another carrier. Ensure that you have to be present. Otherwise your Tmobile account is suddenly a Verizon account and someone else is getting your authentication numbers.

    5. Doctor Syntax Silver badge

      "Gotta scare the sheeple to buy our products."

      What is this word "buy" of which you speak. Just download KeePassX or whatever variation fits your OS.

  3. MrMerrymaker

    Check the Password page

    Type in a password you suspect is out there and it tells you if it appears in the list. Without tying it to you, or anyone, of course.

    Of course, for a laugh, I typed in 'password' and said over 50 million accounts used it. This kind of hack is nasty, but some of us should at least TRY to have a proper password!

    1. MrMerrymaker

      Re: Check the Password page

      https://haveibeenpwned.com/Passwords

      Typed in the password 'donaldtrump'

      Oh no — pwned!

      This password has been seen 294 times before

      This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!

      1. Rich 11 Silver badge

        Re: Check the Password page

        If you've ever used it anywhere before, change it!

        You can't tell me that. I have the best passwords, the yugest passwords. Everyone tells me so. I'm a stable genius and I know which is my password. You can't take my password from me. I'll pass a law, make the best deal in Congress. Then write an Executive Order so the courts will support me.

        Psst! Barron! How do I change my password? Good boy. Daddy loves you. No, not like Eric. And definitely not like Daddy loves Ivanka.

      2. Roland6 Silver badge
        Pint

        Re: Check the Password page

        ... type in the password: 'correct horse battery staple'

        "Oh no — pwned!

        This password has been seen 3 times before ..."

        1. johnmayo

          Re: Check the Password page

          Only 3 times!

          Considering it's origin:

          https://xkcd.com/792/

          1. W.S.Gosset Bronze badge

            Re: Check the Password page

            oddly, "shibboleet" only gets 1 time

            https://www.xkcd.com/806/

            .

            (the possibly more correct shibbol33t or shibbol337 are both still fine, tho)

            (aside, did you know England used to have l337 Courts? https://en.wikipedia.org/wiki/Court_leet)

    2. -tim
      Unhappy

      Re: Check the Password page

      Sometimes "Password" is the best password. I have a domain that I've been using for almost 25 years. In that time I've been asked for a email address and password for hundreds if not thousands of sites that I don't trust at all. Far too many of those untrusted sites happen to be on HIBP's lit of Pwned Websites. The most common email address I use for these throw away things managed to get 4068 spam messages already this year and that is the ones that got past the spam filters.

  4. SotarrTheWizard
    Mushroom

    Interesting, but. . .

    . . . tried my work email on it. Said I was compromised three times. One of them was a 2013 breach. Problem is. that email account was created in late 2015.

    The other two are companies I've never heard of, much less created an account with.

    And, gee, if I want more details, I have to sign up for their pay service. . . .

    I'm thinking of this as maybe 20% informative, 80% Biz dev for their paid product. . .

    1. Permidion

      Re: Interesting, but. . .

      changing your password "just in case" will cost you nothing but a bit of time

      1. SotarrTheWizard

        Re: Interesting, but. . .

        Actually, I'm on a forced 60-day password change cycle with high complexity AND 2-factor authentication.

        1. J4

          Re: Interesting, but. . .

          Your security team might benefit from a review of password best practice recommendations from CERT or NCSC.

          1. SotarrTheWizard

            Re: Interesting, but. . .

            60 days. high complexity and multifactor. Remember. security is about MANAGING risk. I know you WANT me to use an epic passpoem, detailing the life and works of seven mythical Norse heroes.

            But I'm not Bruce Schneier . . .

            1. Anonymous Coward
              Anonymous Coward

              Re: Interesting, but. . .

              " I know you WANT me to use..."

              Nope, they were probably just recommending you don't use a 60 day cycle.

              1. Version 1.0 Silver badge

                Re: Interesting, but. . .

                Everyone I know with an enforced automatic password change has a list of the passowrds posted on their monitors.

                1. Roland6 Silver badge
                  Pint

                  Re: Interesting, but. . .

                  Could be worse - they could also have the associated application/website and username details...

                2. Kiwi Silver badge
                  Boffin

                  Re: Interesting, but. . .

                  Everyone I know with an enforced automatic password change has a list of the passowrds posted on their monitors.

                  I've done that, nothing wrong with it.

                  If you have the full user name plus PW, that may be an issue. But only if undesirables can see it. If no one undesirable is going to see it then not a problem.

          2. DeVino
            Pint

            Re: Interesting, but. . .

            ...or xkcd

            https://xkcd.com/936/

            Ascendo Datavault is pretty good.

            But I never store on a mobe.

          3. W.S.Gosset Bronze badge
            Facepalm

            Re: Interesting, but. . .

            > Your security team might benefit from a review of password best practice recommendations from CERT or NCSC.

            did you actually READ what he wrote?

        2. Anonymous Coward
          Anonymous Coward

          Re: Interesting, but. . .

          60 day password change???

          Hmm that's not safe, it's not 2010 any more.

          1. Anonymous Coward
            Anonymous Coward

            Re: Interesting, but. . .

            Interesting that I got down votes and yet all the security advice from most major organisations say that 60 days is not secure as it is too frequent. Unforced changes are recommended as best practice.

            1. Anonymous Coward
              Anonymous Coward

              Re: Interesting, but. . .

              Agreed.

              We used to have sensible rules for passwords. Then we started a project with a major bank, and they insisted we obey their (less secure) password rules. :/

          2. rmason Silver badge

            Re: Interesting, but. . .

            Lots of sneering at enforced password changes.

            For clarity - I 100% agree that it's terrible practice. Sadly several of the large certification bodies disagree.

            We recently had to "cyber essentials certify" because some extremely large client thought it important.

            This is one of the boxes you have to tick. That we enforce regular password changes and complexity blah blah blah. Left up to us, it'd be different. Not up to us in I.T though.

            1. W.S.Gosset Bronze badge

              Re: Interesting, but. . .

              Depends on your context. The tradeoff is over-frequent enforced changes encouraging weaker passwords or password practice (postit note reminders, eg), vs old passwords still usable some time later.

              For banks and investment managers, for example, my own risk assessment is that regular and moderately frequent changes ARE a nett positive, in view of the huge risk of an soon-to-be-ex-employee remembering someone's once-overheard or over-seen password. That could be half a billion dollars out the door without anyone noticing for a coupla days. For example.

              Horses for courses, basically. There IS no silver bullet.

              And even the most technically-tight control can be utterly abrogated by social/cultural practice (eg, something I saw 2 years ago: all offshore (multimillion to multibillion) offshore payments controlled via a separate machine. Yay. With a hardware dongle. Yay. Said dongle left next to the machine for everyone for convenience. Whoops.

            2. Roland6 Silver badge

              Re: Interesting, but. . .

              We recently had to "cyber essentials certify" ...

              This is one of the boxes you have to tick.

              ?

              The NCSC(UK) rules that came into effect on 1st March 2017:

              Password Requirements.

              > The requirement to change admin passwords on a regular basis (at least every 60 days) has been removed.

              > The requirement that passwords be promptly changed if the applicant knows or suspects they have been compromised has been added.

              > The requirement for password lockouts or timeouts has been added. This limits the risk of brute force attacks on accounts and will:

              - lock accounts after no more than 10 unsuccessful attempts

              - limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes

              > You should have a password policy that tells users:

              - how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet).

              - not to choose common passwords — this could be implemented by technical means, e.g. using a password blacklist.

              - not to use the same password anywhere else, at work or at home.

              - where and how they may record passwords to store and retrieve them securely — e.g. in a sealed envelope in a secure cupboard.

              - if they may use password management software — if so, which software and how?

              - which passwords they really must memorise and not record anywhere.

              Suspect your certifying organisation was using an old questionaire.

        3. tip pc Bronze badge

          Re: Interesting, but. . .

          On your works domain maybe but what about some website you’ve logged into using your work email and some other password?

      2. JeffyPoooh Silver badge
        Pint

        Re: Interesting, but. . .

        Permidon suggested, "changing your password 'just in case'..."

        The password 'just in case' has been pwned. Not kidding.

        Oh, I misread your suggestion. LOL

    2. Anonymous Coward
      Anonymous Coward

      Re: Interesting, but. . .

      A friend didn't recognise one company then realised it was the vendor behind the clothes site she knew got compromised.

      Just because you don't recognise it doesn't mean it's made up. Of course, you probably think you know it all!

      1. SotarrTheWizard

        Re: Interesting, but. . .

        And I rather suspect you work for 1password.com. (grin)

        The companies in question sell contact lists in industry, and I **know** that data is compromised, because I get at least one targeted spam a day, and generally more. . .

    3. Anonymous Coward
      Anonymous Coward

      Re: Interesting, but. . .

      Companies have sub companies, trade under different names, get sold on to other companies etc.

      Just because you haven't heard the company name doesn't mean that your email address was never used to sign up to that company. Also the breach lists are usually sold on by 'hackers' who may be merging data, combining it with other data etc. You know they may not be the most reliable people and therefore might try to inflate a 1mill list to 2mill.

      However if your e-mail address is on that list then it has almost definitely been compromised somewhere.

    4. Hawkeye Pierce

      @Sotarr Re: Interesting, but. . .

      I don't know what site you've entered your password on to find out it was compromised but it can't have been Troy Hunt's Have I Been Pwned if you think there's a pay service to get more details.

      1. Jack of Shadows Silver badge

        Re: @Sotarr Interesting, but. . .

        Just went through my list of current passwords, just in case, and the only one compromised is the one I use for throwaway accounts. I hadn't noticed that option before but it's been sometime since I last checked Troy's site.

        Still changed passwords on key accounts (those tied to money) anyway.

    5. thecornflake

      Re: Interesting, but. . .

      There are invalid email addresses in this list (I know because someone tried to tell me it was a scam site based on that fact), probably from people generating potential email addresses for company domains using common names etc and then they end up in a phishing attempts list or something. Details for the breach show that the data may have come from several sources.

      There isn't any push to purchase anything, other than the recommendation that 1password is good because it uses an API to alert you if passwords you store in it are part of a breach. It's written by a totally different company (any company can hook their software into the data to check this).

      I seriously did have someone tell me they're convinced this is a huge scam to harvest email addresses and passwords entered by people from the same source IP address (to link them together) which to be fair would be a brilliant one - spend years building a reputation and working for Microsoft etc to then use a fake massive email and password data breach to harvest thousands of peoples real details. I did point out (among other reasons) that why would you tell people their data had been breached and advise they change their password....

      1. Kiwi Silver badge
        Pirate

        Re: Interesting, but. . .

        "...this is a huge scam to harvest email addresses and passwords entered by people from the same source IP address (to link them together) which to be fair would be a brilliant one..."

        Years back when I was managing a few forum pages, I wondered if it would be worth logging failed login attempts along with the failed credentials. Never bothered but I can bet I would've been given people's email acc passwords and/or passwords to other sites they often visit.

        I would also bet that 1) I am not the only person to have thought of this and 2) it has already been done.

        1. Roland6 Silver badge

          Re: Interesting, but. . .

          > I wondered if it would be worth logging failed login attempts along with the failed credentials.

          Well, in doing some research I came across this:

          Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique vantage point to understand the role of passwords in account takeover.

          From the attached guidance, I suggest MS had been doing this for some time, and that MS and other identity providers (IdPs) are doing this today (why wouldn't they?)

    6. Roland6 Silver badge

      Re: Interesting, but. . .

      >Said I was compromised three times.

      I found it useful to use the password search.

      Whilst it says my main email address has been compromised four times.Like you two breaches, I recognise (Adobe & LinkedIn) however, the other two (Onliner Spambot & Modern Business Solutions) aren't really helpful, as without knowing the password I cannot identify the site that was originally compromised.

      With the two I recognised, I was able to use the password lookup to confirm that the password that I was using on those websites back then doesn't appear on any breach list.

      In this instance I'm uncertain of the real value of a password manager, over and above a pocketbook. But then 1Password has been integrated with Troy's website and so can automatically check for compromised passwords...

  5. wolfetone Silver badge

    "Now is a good time to get a password manager app"

    Until one of them gets hacked again, then what?

    1. Captain Scarlet Silver badge
      Trollface

      Write it down in a book and keep it in a safe

      1. DropBear Silver badge
        Trollface

        But where am I supposed to get a lavatory (let alone a disused one)...?!?

        1. I ain't Spartacus Gold badge
          Happy

          But where am I supposed to get a lavatory (let alone a disused one)...?!?

          Well, once you've put a "beware of the leopard" sign on the door - your frequently used lavatory will soon become disused. Especially after the first few maulings.

          A yellow warning Wet Floor sign in a conspicuous pool of blood helps, if you're a bit short of leopards...

      2. Kiwi Silver badge
        Boffin

        Write it down in a book and keep it in a safe

        With a little bit of obfuscation to make sure no one who gets/photographs the book can get further.

    2. Anonymous Coward
      Anonymous Coward

      I use an offline password manager app. I really do not give a flying fuck if the app gets hacked.

    3. FrogsAndChips Bronze badge

      If your offline password manager gets hacked, you have bigger problems.

    4. Anonymous Coward
      Anonymous Coward

      I store all mine in a VeraCrypt file in individual txt files.

      1. billdehaan

        I store my low security passwords in a Keepass wallet.

        I store my high security passwords in a Keepass wallet that's on a VeraCrypt volume.

        I store my really high security passwords (ie. banking info) in a Keepass wallet that's on a VeraCrypt volume that's on a portable drive that's disconnected and locked in a fireproof safe when not being used.

        And no, I'm actually not joking about that.

        1. Jack of Shadows Silver badge

          Same here except banking details kept in memory. No safe. Blows the BofA managers mind whenever I've lost a card that I can rattle it all out when needed. [Sadly, my BofA password is the easiest to brute force. Just keep it extra long for that reason.]

          1. Anonymous Coward
            Anonymous Coward

            "Same here except banking details kept in memory."

            My online banking comes with a digital 2FA device which produces effectively a one-off code each time. Only activated with the account debit card and a pin that is only stored in my head.

    5. billdehaan

      Password managers don't have to be networked applications. There are many standalone password wallets that are essentially just password-protected local files.

      My favourite is Keepass (link). It's free, open source, and available on numerous platforms, both desktop and mobile. And most importantly, it's been audited by security experts like nobody's business.

      I agree, "cloud-based password manager" can be synonymous with "single point of failure". But if your passwords are stored in an encrypted file on your Windows/Mac/Linux/Android/IOS box/tablet/phone, they're going to have to be able to access it either physically or remotely before they can even start cracking the password file.

      1. KSM-AZ

        Use the new KeePassXC, add the plugin to Chrome/Firefox. Very Nice

  6. msknight Silver badge

    Detail gone

    I believe they used to tell you what sites you were breached from... but now it looks like that's gone. They only point you to an FAQ, so I can't easily tell how bad the damage is. Perhaps that's what's happening... so many people say, "Meh, that's so old that i won't bother buying these password services..." so they've stopped telling people which sites they were pwned on, perhaps in the hope of panicking more people to buy their services.

    1. Anonymous Coward
      Anonymous Coward

      Re: Detail gone

      Not accurate. Read the full description and it does indeed tell you where it came from. You're so bloody cynical.

      iPmart: During 2015, the iPmart forum (now known as Mobi NUKE) was hacked and over 2 million forum members' details were exposed. The vBulletin forum included IP addresses, birth dates and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked. A further 368k accounts were added to "Have I been pwned" in March 2016 bringing the total to over 2.4M.

      1. msknight Silver badge

        Re: Detail gone

        I work for government. Being cynical is part of the job description. Yes Minister.

        They are counting collections and separate data breaches as "breached sites" so I suppose that's where the problem is coming from. Telling me x number of breached sites, but actually being within larger collections.

    2. Graham 2

      Re: Detail gone

      This data release is a collection of other breaches, hence why there are lots of different types of delimiter, crap data etc. So, there's no way to tell if the data is from a specific source.

      1. msknight Silver badge

        Re: Detail gone

        They appear to know which source they're from, if they're able to tell me that I was pawned on 4 breached sites ... presumably they already know which sites those are.

    3. Anonymous Coward
      Anonymous Coward

      Re: Detail gone

      If you have unique passwords for every site and they are very strong passwords then you can use the api to create a hash of your passwords and upload the first 5 characters. The reply can be used to check against that password to see if it has been used.

      In that case you will be able to work out which site the password came from.

      Similarly if you use unique email addresses for each site (i.e. you have your own domain or use the + method of email addressing) then the compromised e-mail address will tell you the site it came from.

      1. msknight Silver badge

        Re: Detail gone

        I do use unique e-mail addresses for some, where I think the site is most likely to sell my details... I guess I'm going to have to feed them into the engine one by one, as I do use different passwords for various sites... but that's my problem for being a pain :-)

    4. W.S.Gosset Bronze badge
      Alert

      Re: Detail gone

      > I believe they used to tell you what sites you were breached from... but now it looks like that's gone.

      Yeah, I had the same reaction.

      Turns out it's just a bad new site design.

      The "what sites" info is now right down the bottom of the page. Under all the ads.

  7. Graham 2

    772 meeelllion?

    I got an email about this. When I ran the domain level report to see which accounts appeared I saw 5 that were valid and current email addresses and another 23 which were mangled versions of these, or really old "one off" emails that were used about 15 years ago.

    While it's a big number, I don't think it will have hugely increased the number of pwned addresses overall.

    1. Anonymous Coward Silver badge

      Re: 772 meeelllion?

      Mine has 1 address from my domain, which got onto the lists years ago. No new addresses in this list. That (unique, vendor specific) address has now apparently been leaked onto 5 different lists, so clearly they're resorting to lists of lists to boost numbers.

  8. Anonymous Coward
    Anonymous Coward

    Now is a good time to get a password manager app

    was it sarcasm or genuine advice?

    1. SoaG

      Re: Now is a good time to get a password manager app

      It is El Reg, so hopefully sarcasm. PW managers are the biggest risk out there. At least one of the big ones has already been breached a couple years back and the others all have huge bullseyes on them.

      Never understood the mindset that a single point of failure is a somehow a good idea.

      1. Doctor Syntax Silver badge

        Re: Now is a good time to get a password manager app

        "PW managers are the biggest risk out there."

        You're probably thinking about online password managers. Big hint: there are ways of doing some computing tasks without using the internet. Managing passwords is one such task.

  9. confused and dazed

    A large post-it

    Since we need ever more complex and differing passwords, and we don't trust password managers ...... how about a piece of paper and maybe a pencil ?

    and maybe hope not to get burgled .....

    1. Mark 85 Silver badge

      Re: A large post-it

      I have a list using a notepad that sits on my desk at my house. The last page of said notepad. For "backup", there's a copy in my fireproof lockbox in the closet. Not too paranoid, right? If the house burns down, the lockbox should be safe although I'll probably have bigger problems than not having a password at had.

  10. Howard Hanek Bronze badge
    Happy

    Telepathy

    Our Internet is just one big breach which explains why all those SciFi fans rooting for those species who communicate telepathically are wrong. They could never overcome their natural homicidal instincts and must quickly kill themselves off.

  11. disgustedoftunbridgewells Silver badge

    explanation

    This explains the email's that started showing up in my spam folder a couple of months ago with the subject set to a password I've used and the body threatening to do something I can't remember if I didn't send some bitcoins to somebody.

    1. tekHedd

      Same here except...

      I'm getting those same emails, except it's always an email I've never used anywhere. This makes me question the usefulness of some of the breach data.

    2. I ain't Spartacus Gold badge

      Re: explanation

      The ones I've seen are about having activated your webcam and videoed you watching porn. The ones I got at work weren't even using my work email address, so I don't know if that was a mistake in their email software - as they sent it to the right email, just used a different one in the body.

      But I got a panicked call from a friend about it - I suspect her email address went in the Experian hack. Then had to navigate a rather embarrassing ten minutes to reassure her that changing a few passwords would be a good idea if she'd been re-using them - but she was fine. The question I definitely wasn't asking being about online porn - because she's incredibly uncomfortable about sex, and I'm pretty sure she was more worried about that than her online email being hacked. Nasty little email, and I hope that particular hacker's server racks fall on his head.

      1. disgustedoftunbridgewells Silver badge

        Re: explanation

        Yes, that's the one I've had. manutd is one of my passwords that I only use in places I really don't care about, don't trust and expect to get hacked. My email is mail@domain, which explains the first part of the subject:

        Subject: mail : manutd

        -

        I am aware manutd is your pass words. Lets get straight to the point. Not one person has compensated me to check you. You don't know me and you're most likely thinking why you are getting this email?

        actually, i placed a malware on the X video clips (porno) site and do you know what, you visited this website to have fun (you know what i mean). When you were watching videos, your browser began functioning as a Remote control Desktop with a key logger which provided me with access to your display screen as well as web cam. immediately after that, my software obtained all your contacts from your Messenger, Facebook, as well as e-mailaccount. after that i created a double-screen video. 1st part displays the video you were viewing (you've got a good taste lmao), and next part shows the view of your web cam, & its you.

        You have got only 2 solutions. Lets read up on these types of choices in details:

        Very first alternative is to ignore this e-mail. in that case, i most certainly will send your tape to all of your contacts and just think regarding the disgrace you experience. and as a consequence if you happen to be in a romantic relationship, just how it will affect?

        Number two alternative should be to give me $887. Lets describe it as a donation. in this scenario, i most certainly will instantaneously eliminate your video footage. You could resume everyday life like this never occurred and you will not hear back again from me.

        You will make the payment through Bi‌tco‌in (if you do not know this, search 'how to buy b‌itcoi‌n' in Google).

        B‌T‌C‌ ad‌dre‌ss: [redacted]

        [CaSe-sensitive copy & paste it]

        if you have been making plans for going to the cop, well, this message cannot be traced back to me. I have taken care of my steps. i am also not attempting to ask you for a huge amount, i simply want to be rewarded. e mail if i do not receive the ‌bi‌tco‌in‌, i definitely will send your video recording to all of your contacts including membe rs of your family, colleagues, and so forth. However, if i receive the payment, i will destroy the video immediately. If you really want evidence, reply Yes then i definitely will send your video to your 10 contacts. This is a non-negotiable offer that being said please do not waste my personal time & yours by replying to this e-mail.

        1. David McCarthy

          Re: explanation

          Cunningly, I don't have a webcam.

  12. Stevie Silver badge

    Bah!

    All my emails show as pwned.

    None of my passwords do.

    However, at every stage I was exhorted to download the recommended password manager.

    This Means Something.

    1. John Brown (no body) Silver badge

      Re: Bah!

      "This Means Something."

      It means the site needs money to operate, hence the prominent donation button.

  13. Anonymous Coward
    Anonymous Coward

    I ended up checking the list of 2,000 plus websites just to see which ones I was registered on.

    Not a single one of them I knew of.

    Could possibly be a fake list containing details from previously leaked breaches, then randomly mixing the passwords with other e-mails in order for hackers to sell to morons.

    1. Anonymous Coward
      Anonymous Coward

      I can actually confirm this, now.

      I had a friend of mine grep the database for my e-mail address.

      He found the same details three times, which was from an earlier leak.

  14. Tom 35 Silver badge

    Blackmail spam

    I've received two blackmail spams (pay or we send your web cam porn to all your contacts) using info on there.

    It's the junk email and password I used when a site requires you create an account to download an update. I don't know who leaked it and don't much care, that's why I used a junk email forwarder. As a bonus it was forged to look like it came from that address.

    1. David McCarthy

      Re: Blackmail spam

      (Smug) Don't have a webcam.

  15. Richard Parkin

    Why are people here so ignorant of good password practice and security?

    Every time this subject comes up there is a slew of completely ignorant comments and it’s clear that none read Troy Hunt’s excellent blog!

  16. NBCanuck

    What sites?

    So if my email address comes back as pwned how can I tell what site was compromised. I use unique passwords and there is no way I am going to type them all in.

    1. Roland6 Silver badge

      Re: What sites?

      >So if my email address comes back as pwned how can I tell what site was compromised.

      Buy 1Password, it will automatically check your login details against Troy's database...

      Aside: I use a different password manager, so not trying to sell you 1Password.

    2. W.S.Gosset Bronze badge

      Re: What sites?

      scroll right to the bottom of the page. the individual pwned sites are listed there, along with when they got cracked.

  17. Vincent Ballard
    Coat

    "Unique"

    If there are "22.2 million unique passwords", how many non-unique ones were there? Or are you confusing the word "unique" (occurring once only) with the word "distinct" (counted once only)?

  18. lowwall
    Black Helicopters

    Still have 3 good passwords

    In case anyone missed the link above, you can check if your passwords appear on any of the lists at https://haveibeenpwned.com/Passwords

    As expected, the passwords I use for forum sites (including this one) and other throwaway accounts all have "been seen nn times". Happily the ones I use for sites that hold data that actually matter are fine.

    Or maybe they aren't now that the site has linked all my passwords to my IP address. WHAT HAVE I DONE?

    1. Kiwi Silver badge

      Re: Still have 3 good passwords

      Hence why I shall not partake of the opportunity to vanity-surf.

      Just because a password has been seen doesn't mean it's not safe. In time every human-possible password will be 'seen' (at least in theory). Matching them with a user name or email is another matter.

      I'm certainly not testing my bank ones without firing up some torified or other hide-me browser/connection.

  19. Brewster's Angle Grinder Silver badge

    OTP

    I'd change my passwords. But I can't remember any of them.

    Nor, for that matter, can I remember what my coat looked like or where I hung it.

  20. Palpy
    Coat

    Lazy sods, those hackers.

    According to haveibeenpwned, none of the passwords I use have been compromised. What a letdown. Granted, I only checked the ones I deem important, but still. Seems like I would get some damned respect.

    Mine's the one with all the passwords on index cards in the pocket.

  21. Doctor Syntax Silver badge

    I haven't even bothered checking if the email addresses I've used exclusively for PayPal are there. They will be because those numpties think it's a good idea to pass it on to every merchant even if it's also the logon ID. The only way to handle that would be to change the email after every purchase.

    Why do so many businesses think that an email address is a good logon ID?

    1. holmegm

      Why do so many businesses think that an email address is a good logon ID?

      Because #1 it is unique, and #2 you won't forget it.

      1. W.S.Gosset Bronze badge

        also: then they've got your email address

    2. Anonymous Coward
      Anonymous Coward

      I was surprised to find that my dedicated (15+ years) PayPal address wasn't in there. Especially since it is occasionally received on a spam email.

      Only two of the ones I checked were there - and both would have appeared in either Yahoo Groups postings - or as public contact details on a web site I manage.

  22. Anonymous Coward
    Anonymous Coward

    Hmmm

    I note using the "I've been pwned" password check using old passwords, and spam I've received telling me my porn watching habits are for sale for all and including an old password from Linkin as proof, that each breach cracks a one digit longer random password that I have used in the past. They are making progress......

  23. Anonymous Coward
    Anonymous Coward

    FAKE NEWS

    They claim that the password "hamburger1" has been has been seen 9,115 times before!

    Can't be, I have the very best people working for me.

    - Don

  24. FuzzyWuzzys Silver badge
    Facepalm

    Where's your password manager?

    Those pathetic scamming emails have been increasing lately, I've seen loads come through for accounts I've killed off 2-3 years ago. I check the passwords they send me in my keystore but out of 15 in the last 3 months none are active and none of the passwords are active.

    Always, always use a password manager you can then always ensure you have non-reusable passwords, even for crappy one-off logins for forums and such like. I can't believe that a quick straw poll at work showed me that out of 10 IT techies only 2 of us use password stores for work and home account details. Where does everyone store their passwords, on Post-Its on desks? In text files?!

  25. MarthaFarqhar

    Text file encrypted using RSA-2048 gpg key. I'm buggered if I lose/forget the passphrase!

  26. WibbleMe

    Well the only good news is that yours in a needle in a haystack

  27. Anonymous Noel Coward
    Boffin

    I'll tell you one thing...

    ...this really reaffirms my faith in the gov't having the details of everyone who wants porn when they start blocking websites in April.

  28. Mark 75

    I don't get it

    One of my email addresses is reported as being pwned.

    I then go to the password look-up and enter one of several passwords I use and they aren't found.

    So, how can my email address be pwned if my password can't be found?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get it

      I wonder if some of the entries are just trawled email addresses?

    2. W.S.Gosset Bronze badge

      Re: I don't get it

      it's just reporting that your email address has been found on a list for a site which has been pwned.

      it's NOT able to say if you HAVE been pwned, merely that you are at risk.

      .

      and yes to the replier above: most of these emails are taken from leaked lists, which have often been trawled rather than cleverly pieced-together-with-sites. it's not an either/or thing, it's both.

  29. Keith 20

    Advertorial ... shouldnt this be marked ?

    This is just an advert. The hacked ids are from old breaches, nothing new. Shame on you El Reg

  30. MrKrotos

    Oh dear!

    Oh no — pwned! This password has been seen 59 times before.

    When i tested "thereg"

  31. Richard Cranium

    data quality issue

    I'm concerned that in the pursuit of headline grabbing numbers the quality of the list is at hazard. I've got numerous gmail accounts designated for different purposes so the first problem is that I can't submit a list but have to do the names one by one.

    One example of a second issue is that one of my addresses is shown as leaked on Disqus, but was it? The report says "In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced."

    I joined Disqus in 2016. So was the leak of 2012 data or did the leak continue right up to the date of the announcement in 2017? The password that might have been "disclosed" (disqus stored as salted SHA1) was unique to access that site, it wasn't my EMAIL password, even if it had been it's protected with 2FA giving extra security. I don't recall if Disqus sent a breach report to all their users but if they did I would have changed password. Good practise on their part after a leak would be to require a password change on next login, if that were the case much of the database would be entirely misleading - your email address is "known to third parties" but what use is an email address that's not known to others?

    It seems to me that haveibeenpwned lists any email address that has ever been on any site that's suffered a leak irrespective of other considerations and they are being treated as compromised.

    So the email address check is not very useful, is the aim of haveibeenpwned.com merely self aggrandisement? More use might be the "pwned password" test but don't forget that's not YOUR usage of that password and not necessarily linked to one of your sets of login credentials. It just tells you that someone, at some time in the past, has used that password on one or more of thousands of compromised sites. Interestingly it seems plenty of low-grade passwords haven't been compromised. Obviously "123456" and "password" have millions of instances, we are advised against short passwords but even "l2e4S6" and "p4s5w0Rd" (letter/number substitutions) aren't in the database.

    A combined test for email and password would be more value to you but who'd be stupid enough to enter both to a third party web site? I'm reasonably confident that haveibeenpwned.com is trustworthy but I'd not disclose full credentials on the basis of "I think it's probably a trustworthy web site". Even if you checked email and then password on the same site, visitor tracking capabilities are such that the two separate enquiries could be shown as coming from the same source so you've potentially provided the site owner with the full set of login credentials.

    1. Kiwi Silver badge

      Re: data quality issue

      I'm reasonably confident that haveibeenpwned.com is trustworthy but I'd not disclose full credentials on the basis of "I think it's probably a trustworthy web site".

      Oh, I can see it now!

      In normal, safe, un-threatening text "Please enter your email address to check if you have been pwned".

      Non-threatening "Please wait while we check"

      Very large, flashing, super-scary "YOUR EMAIL ADDRESS HAS BEEN HACKED! URGENT ACTION IS NEEDED! ENTER YOUR PASSWORD SO WE CAN CHECK IF THAT IS SECURE!".

      And the sad thing is I know so many people who will do it because the site told them to.

      Maybe we need a new line of computer furniture. With built-in shackles and spikes, custom designed to cause unpleasant feelings in those who are likely to give their details away. Carefully custom-designed so those who revel in pain don't get the sort of pain they enjoy, but other pain instead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019