The 773M Record “Collection #1” Data Breach(troyhunt.com) |
The 773M Record “Collection #1” Data Breach(troyhunt.com) |
Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.
And yet they get pwned so easily.
So much effort into violating user privacy, so little effort into enforcing user security.
This post looks almost like an ad. I hope, then, you are putting effort into "enforcing user security".
Emphasis on ‘claim’. Considering he built this product, it would insinuate they don’t actually have this capability and are instead selling lies, pipe dreams and bullshit.
This is very weird.....
EDIT: Nice to see their open development position is an unpaid internship.
Collecting data on users should be extremely risky, even if they consent to it's collection.
This, to me, is the most pivotal part. Data was stolen in relation to you? Too bad, so sad.
>Collecting data on users should be extremely risky, even if they consent to it's collection.
The problem is that it's been so normalised that it's become pedestrian. It's the new norm and no longer risky because "everyone's doing it".
Fines of up to 4% of yearly revenue area no joke: https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the...
I just can't imagine how you can reliably track a users eye gaze without a webcam - is it just some snake oil pretending to solve everything with AI?
Sounds synonomous with "scum bag" to me, priansch.
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
HIBP is quickly becoming a critical piece of the Internet security infrastructure, and Troy should be lauded for undertaking it basically by himself.
I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.
From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.
[1] I lied, i love being that guy.
But as far as I can see it is gibberish spam-mails. I see 500+ entries such as:
fkdsjlfjldsf@example.com
spamkdsjf31@example.com
fsdjlfsdjkl@example.com
i.e. None of these emails at my domain are real, nor have they ever been real.That said if you allow password-based authentication on a server which is shared you might consider using my PAM module:
https://github.com/skx/pam_pwnd
It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.
Not sure whether it's cool to post any links here.
I'm gonna download the passwords offline and try this plugin: https://github.com/mihaifm/HIBPOfflineCheck
(you can grab the offline passwords from here: https://haveibeenpwned.com/Passwords )
All my passwords are randomly generated so they are different for all websites.
i’ve checked again if i was pwned and on the top there is a service i’ve never signed up - Apollo, a sales acceleration platform
i’m a simple dev and never subscribed to a sales service ....
What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.
I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?
Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.
What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?
http://www.mediafire.com/file/mluhkk4dpqi8vfm/Collection_1.t...
I found the link via a comment on /r/pwned [1]. I think it originally came from RaidForums [2].
[1] https://www.reddit.com/r/pwned/comments/agsjie/troy_hunt_the...
[2] https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPub...
[0] https://darekkay.com/blog/another-password-leak-oh-must-tues...
Maybe it was this one.
Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.
... but with a non-trivial risk of someone else locking you out from your own account.
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
Too risky.
I know one of the weak password I stupidly reuse everywhere was compromised since I had someone buy something with my paypal account. But it comes up as clean in the password search. So it was probably cracked from one of the leaked hashes but the plain text was never entered into the public dumps.
If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.
For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".
---------
Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.
https://gist.github.com/schmich/aeaffac922271a11b70e9a79a5fe...
You need to look at the request being generated. Here's how to do it:
1) The SHA-1 of P@ssw0rd is 21BD12DC183F740EE76F27B78EB39C8AD972A757: https://passwordsgenerator.net/sha1-hash-generator/
2) Pass the first 5 chars to the API here: https://api.pwnedpasswords.com/range/21BD1
3) Find the suffix in the response and it has the count next to it: 2DC183F740EE76F27B78EB39C8AD972A757:51259
[0]: https://www.troyhunt.com/the-773-million-record-collection-1...
I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.
I know because every time I register for a site I use site@mydomain.com as my email.
You can also do that with gmail by using the login+alias@gmail.com syntax but it's well known and trivial for a hacker to defeat.
Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.
This of course could happen in a company like 1Password and there is at some point that I need to make the call and trust the person(s) coding the password manager. I feel that with 1Password there's at least the large size of the company which would mean more eyeballs and accountability. There is also the history of the company at 12~ years. This includes vetting and buy in from larger companies, which inspires a vote of confidence.
FWIW Bitwarden checks off nearly all the other boxes for me and I think the single dev has done a seriously bang up job.
- long history - to me it's the original password manager
- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/
- flawless experience
It's better than using the same password.
1. People are bad at making new passwords 2. Someone might clear their browser history and delete the logins as a result. 3. Lock-in into the Chrome ecosystem.
I personally use KeePass, but I understand it is a bit cumbersome to carry around a USB stick.
I'd recommend LastPass to those who don't understand simply because it has a free tier, but everyone else should seriously consider paying the 2$ a month for whichever service they use.
I don't know if there is an actual working product though, their Twitter is only 16 hours old.
For the people I'm talking about, installing and maintaining a "real" password manager isn't going to happen. The alternative is for them to continue using "Nameofcat1" for every damn site.
It's a reasonable trade-off.
Knowing that - for sure - a password has appeared in a breach is very useful.
It can only check against a database of known password leaks.
But data protection institutions are warming up for taking Facebook to task: https://www.cnbc.com/2018/10/04/facebook-data-breach-top-eu-... - the 1.6bn is way over the top since FB informed customers in time, but still this will be a lighthouse case.
Oh no — pwned! This password has been seen 3,645,804 times before
If you want the account unbanned, feel free to email hn@ycombinator.com with evidence that you own it and a promise not to do stuff like this.
Particularly once there's a certification fee, it quickly becomes a racket, where people with strong ethics and skills get pushed aside by someone who paid a fortune to sit a course. Language lawyers will find ways to sign off on major issues, and some largely irrelevant thing ends up becoming the majority of the process.
I recently started setting up a phpBB forum for a personal project. Because I wanted to respect people's privacy as much as possible, I removed certain fields like the birthday so that they can't be entered. I disabled private messages to avoid keeping unneeded nominally private data. To contact a specific user, I allowed only emails sent via a form to prevent leaking a user's email address. And I installed an extension to allow users to delete their accounts. I was pleasantly surprised with how easy disabling birthdays and other profile fields were, but somewhat disappointed that allowing users to delete their own accounts wasn't built in yet. Would be nice for forum softwares to have a standard set of features and default behaviors that respect privacy. I doubt many people change the configuration settings I did. (If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.)
I don't see why a forum should have a birthday field in particular. If COPPA compliance is a concern, just ask if the user is 13 or older at registration.
Tell the software vendor! They need to supply sane and private defaults, so that every admin who deploys an instance benefits automatically.
You could drive home the point by saying that if you were to run the software in the EU, it becomes a ticking time bomb and is an invitation for getting a forum admin into obnoxious manual cleaning work at best, legal trouble at worst.
The history of "web page endorsements" is pretty lousy. The only one that really stuck was SSL enhanced verification, and all that does is tie a cert to a business entity.
They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
Which does upload your password, which I think is an unacceptable risk.
You could have made your points in a much more constructive and concise manner:
Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...
But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.
For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js
A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.
If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.
far from unclear unclear clear far from unclear
^ ^
| |
-------------------------------------------------It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.
So the risk is high, especially for something you are putting trusted passwords into.
It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.
If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.
[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js
Note the lack of https.
You are going to trust a page with that code with your important passwords?
Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.
Much like trusting curl https://whatever.com | sudo /bin/bash
Crazy.
sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5}
2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
echo "Count: ${result#*:}"
With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.No, I don't have any particular reason to trust it.
I was just pointing out that the claim you made was inaccurate.
Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.
Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..
Please don't make false assertions about what I was suggesting without any evidence.
Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.
I would certainly not put any live passwords into the webform.
Troy seems to have a fine reputation, but I don't want to trust the crown jewels (my passwords to everything) on Troy's reputation, the security of his site, cloudflare, and random javascript bits hosted in various places.
So sure the design and explanation of the page is that passwords are not uploaded. But since I can't practically verify that myself, I wouldn't upload passwords there. What's worse is even if I could audit every line of code, I couldn't guarantee other people wouldn't get a malicious version of the site.
So generally saying "Sure, type your password into a form on this webpage, I found an explanation that says it's not uploading it." is a very bad idea.
There's similarly plausible pages for things like generating SSL certs (not just CSRs), ssh keys, generating passwords for you, and similar that often have reassuring explanations that their security is just fine.
So generally never put your private key or plaintext password where a random 3rd party might read it. The promise that some anonymization process will be applied should not be enough to get you to risk it.
This reminds me of: http://bash.org/?244321
I claimed your initial unqualified statement, that it uploaded your password, was inaccurate, with both an explanation of what it was doing and the claim that I had not seen any evidence of it doing anything else.
I did not claim the site was not vulnerable to MITM or other injection attacks.
I did not claim you should trust this or any other resource with your password or any other data.