16 Billion Passwords Exposed

Solitaire

Neoclinus blanchardi
Solitaire
Joined
Jul 25, 2001
Messages
3,068
16 Billion Passwords Exposed In Record-Breaking Data Breach by Vilius Petkauskas

The largest data breach in history involves 16 billion login credentials.
The records are scattered across 30 different databases, and some records are or might be overlapping.
The data most likely comes from various infostealers.
The data is recent, not merely recycled from old breaches.
Cybercriminals now have unprecedented access to personal credentials and could exploit them for account takeovers, identity theft, and targeted phishing attacks.


Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.

Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a “mysterious database” with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
Click to expand...


This stuff just drives me crazy.

Am I safe or am I not? How do I know if I have been hacked? And, if I change my password, then what's to stop them from getting it again?

Ugh.
 
Six months from now we may get a letter from one of those big corporations suggesting we change our passwords. By then it will be far too late. I'm wondering if I should bother right now.
 
Wudang said:
You can check on https://haveibeenpwned.com/
Click to expand...
On the heels of a massive breach, it feels weird to go to an unknown site and start giving out info...

Also, 16 billion? Sounds like we would all be pegged for one or two. I mean, yes, we all have multiple accounts and passwords, but yikes... 16b?

Eta: that site says they got me
 
Last edited:
As I understand it, this is not a new breach, but rather malware being identified with libraries of login information assembled from multiple breaches over the last year or more.
 
theprestige said:
What you do is you change your passwords regularly.
Click to expand...
On a quick search I have at least 25 site accesses I'd have to change. Most are MFA. And that's with the variations of one password. I have a couple others so the total is probably closer to 50. Not so convenient for doing "regularly". But may be necessary in this case.
 
This is why I think anything involving anything financial (not just banks, but stuff like Amazon) should require MFA. And I'm surprised by now CAC cards haven't become commonplace. Passwords alone are getting to a point where they just don't cut it anymore, no matter how long or cryptic they are.
 
bigred said:
This is why I think anything involving anything financial (not just banks, but stuff like Amazon) should require MFA.
And I'm surprised by now CAC cards haven't become commonplace. Passwords alone are getting to a point where they just don't cut it anymore, no matter how long or cryptic they are.
Click to expand...
I think just the concept of a gubmint-issued card is a no-go for many people. Never mind the fact that they already have plenty of your information through driver's license and credit cards and web surfing and whatnot.
 
alfaniner said:
I think just the concept of a gubmint-issued card is a no-go for many people.
Click to expand...
You mean like driver's licenses and social security cards?

Besides, it doesn't have to be a govt thing, just the idea of a physical card that must be used to access various things.
 
Passwords should not be stored by organizations. A password should go through a complex one-way formula (that includes a unique salt, so that two people using the same password have different results). Then store the result. When the password is used again put it thought the one-way formula again and compare with what has been stored. If organizations did that then no passwords would ever be stolen from organizations.
 
I can help. Send me your usernames and passwords and I will go check if they've been exposed to the Internet 😇.
 
alfaniner said:
On a quick search I have at least 25 site accesses I'd have to change. Most are MFA. And that's with the variations of one password. I have a couple others so the total is probably closer to 50. Not so convenient for doing "regularly". But may be necessary in this case.
Click to expand...

Wudang said:
I have 114 entries in my Password_SafeWP safe.
Click to expand...

Y'all are like frequency-hopping by hand in this day and age. Tapping out your posts one bit at a time on a morse code machine.
 
This explains why I occasionaly get a scam email from myself ;)
 
Thermal said:
On the heels of a massive breach, it feels weird to go to an unknown site and start giving out info...
Click to expand...
I am not sure I can trust that site. I entered an email address and it says it appears in a data breach from 2012. But the breach is from a site I have never visited (and the email address wasn't created until after 2012).
 
jadebox said:
I am not sure I can trust that site. I entered an email address and it says it appears in a data breach from 2012. But the breach is from a site I have never visited (and the email address wasn't created until after 2012).
Click to expand...
I wonder if your email address was used by someone else prior to you using it. They then gave it up and you took it over? Pity you cannot see the information that has been leaked.
 
jadebox said:
I am not sure I can trust that site. I entered an email address and it says it appears in a data breach from 2012. But the breach is from a site I have never visited (and the email address wasn't created until after 2012).
Click to expand...

Could be a few different things. The site that you set the account up with could have been sold to different vendors, sending the passwords and data with it. As rjh01 said, someone else could have used the email address. It could be a reporting error from the company that had the breach.

I don't know how reliable that site is but I've used it for years and it seems to check out and align with known hacks my email was apart of. Anecdotal but do with it what you will
 
My bank logon requires not just MFA, but a FIDO2 physical security key, ditto my main business and personal email accounts. I do no banking on a cell phone, only on my PC, where I have a better understanding of keeping my system safe. Passwords are all impossibly complex and require a dedicated password manager. Passkeys are, as I understand them, also a nice move, as you must be on an approved device for them to function.
 
Last edited:
plague311 said:
I don't know how reliable that site is but I've used it for years and it seems to check out and align with known hacks my email was apart of. Anecdotal but do with it what you will
Click to expand...

I wasn't seriously disparaging the site in my previous post. I just thought it was amusing that an email address that didn't exist a decade ago was in a dump from 12 years ago.

In addition to the possible explanations others have posted, I suspect that hackers might have later augmented the collection of data from that hacked site by adding other data to it in an attempt to make the collection larger and appear more impressive.

That was one of only three sites listed for my address and the only one where the data supposedly had the password. The other two sites used MFA and passwords are encrypted.
 
Last edited:
Hlafordlaes said:
My bank logon requires not just MFA, but a FIDO2 physical security key, ditto my main business and personal email accounts. I do no banking on a cell phone, only on my PC, where I have a better understanding of keeping my system safe. Passwords are all impossibly complex and require a dedicated password manager. Passkeys are, as I understand them, also a nice move, as you must be on an approved device for them to function.
Click to expand...

You've definitely got a good system. Crazily enough where I work we require 15 character passwords and MFA. Unfortunately it did absolutely no good when a bad actor was able to acquire their session token and used it to access their O365 account. I'd never seen something like that actually done in the wild, but sure enough. Just goes to show that nothing is truly secure.
 
Accessing my password manager also requires the FIDO2, forgot to say.

NB: Buy two devices and identify both with each system. Carry one on a keychain, keep the other securely stored. Lose a one-and-only FIDO2, and traveling up a certain creek with no paddle is guaranteed.
 
Last edited:
You must log in or register to reply here.

Back
Top Bottom