Billions of passwords leaked in largest online data breach

[Galdorf]

https://globalnews.ca/news/7937891/data-leak-online-scams-protect/

Great just as i said they need to get rid of passwords no matter how complex they can now be stolen by malware

https://arstechnica.com/gadgets/202...sitive-data-and-stashes-it-online/?comments=1

Just about every large company has now had a data breach due to passwords being leaked via malware.

 

[britechguy]

Well, in the first article they point you to a site to check, but unless I'm reading something wrong, or misunderstanding what they're trying to say, it doesn't actually check whether a password was leaked or not.

The page they link to is: https://cybernews.com/personal-data-leak-check/

And the instructions state:

How does this tool work?​

Our checker has a 500 GB database of leaked hashed emails. To check if your email address has leaked:

1. Enter the email address into the search field (we don’t collect or store email addresses)
2. Click Check Now
3. View the search results on the same page

If they intend "hashed emails" to mean passwords, well, that's a very poor way of indicating same. I don't know what it is they're getting at. And I don't consider my e-mail address to be private. I don't know how anyone who's been using email for more than 5 minutes could possibly believe that their email address is private.

What on earth do they mean?

 

[phaZed]

Ya, that tool is seemingly useless.

 

[GTP]

The thought runs through my mind that it's an email harvesting scam.
Enter your real email address and they check off the list as a live address.

Very confusing way to do it tbh.

 

[alexsmith2709]

This is just a compilation of previous data breaches, it is nothing new

 

[britechguy]

This is just a compilation of previous data breaches, it is nothing new

Which is precisely what I presume. But the way they've got things worded is well, stupid.

It looks like a variant on https://haveibeenpwned.com/ and similar. I know that my e-mail address has been breached on several occasions, having been in both the Anthem and Equifax breaches. I'm not about to drop an email address (or its use as a login) because it's been part of a data breach. I changed the password and, in some cases, added 2FA. The world goes on.

And breached data, as a general rule, has a very short shelf life and window for use (unless something like your SSN [in the USA] is involved along with your name, address, etc. - then ID theft enters the picture and attempts at that can recur over time).

 

[alexsmith2709]

Yes, they haven't word the tool very well. The article was first written before most people realised it was just a compilation so that no longer means anything.
i dont think they've created it to be an email harvesting tool (however some sites may do this), i suspect all they've done is added the contents of rockyou2021.txt to a database and that script checks against it for to see if it contains the inputted email address, just like HIBP does.

I agree that breached data has a short lifespan for unauthorised access use, as any sensible person would change the leaked password immediately on hearing the news, but as an investigation tool that data can be quite valuable, especially when people use passwords with a personal meaning. Its then more data to build a profile on someone.

 

[britechguy]

but as an investigation tool that data can be quite valuable, especially when people use passwords with a personal meaning.

But what you're describing, the use of investigation, is characteristic of targeted attacks. Targeted attacks are very, very seldom the outcome of data breaches. There is no way of knowing who, in the breached data, is a worthy target.

Just like the breach itself is of the "smash and grab" (even if the smash itself requires very hard work and targeting to get past security) the data so extracted is mostly used for similar. You see what you can easily get into with minimal effort, and usually little attempt to specifically target what's gotten into other than it having the potential to allow something (usually cash or identity) to be stolen. And you only have the time before the breach is detected and publicized to do it, for the most part.

Breached data, as a functional tool for theft, for the most part has the shelf life of milk left at room temperature. You have a very short window indeed where it's of much utility. I certainly don't lie awake at night worrying that what got out about me in either the Anthem or Equifax breaches is in any way likely to be used now. Identity theft monitoring services (in addition to my paying attention to my accounts) have not found a single instance of unauthorized use, or even an attempt to use, that information in the years that have followed. I also know that in the grand scheme of things, I am a very little fish of very little interest to those hoping to get a cash haul.

 

[alexsmith2709]

But what you're describing, the use of investigation, is characteristic of targeted attacks. Targeted attacks are very, very seldom the outcome of data breaches. There is no way of knowing who, in the breached data, is a worthy target.

Just like the breach itself is of the "smash and grab" (even if the smash itself requires very hard work and targeting to get past security) the data so extracted is mostly used for similar. You see what you can easily get into with minimal effort, and usually little attempt to specifically target what's gotten into other than it having the potential to allow something (usually cash or identity) to be stolen. And you only have the time before the breach is detected and publicized to do it, for the most part.

Breached data, as a functional tool for theft, for the most part has the shelf life of milk left at room temperature. You have a very short window indeed where it's of much utility. I certainly don't lie awake at night worrying that what got out about me in either the Anthem or Equifax breaches is in any way likely to be used now. Identity theft monitoring services (in addition to my paying attention to my accounts) have not found a single instance of unauthorized use, or even an attempt to use, that information in the years that have followed. I also know that in the grand scheme of things, I am a very little fish of very little interest to those hoping to get a cash haul.

I didn't mean the actual "hackers" who gained access, I mean for others once the data has been breached, like private investigators for example. Many will use breached data to help build a profile.

I have been included in a couple breaches too and I do not worry either. Nobody, too my knowledge ever gained access to my accounts.

Because data breaches do have a limited shelf life, most "hackers" will use the passwords in their dictionaries on other attempts elsewhere and I believe this is why this list was created.

 

[britechguy]

I mean for others once the data has been breached, like private investigators for example. Many will use breached data to help build a profile.

That could be absolutely true, but only for folks who have almost zero internet presence, and they're few and far between these days.

I have avoided social media since its very inception, so you can't really find anything about me on social media (and I don't count my Facebook business page, as it contains even less about me than my own website does).

Profiling of the type you refer to is most often dirt simple these days for anyone with basic internet search skills and who can also use any one of a number of sites that are already set up to profile you based on publicly available records (stored online) of all sorts.

I have said, and will always say, that privacy as our parents and grandparents knew it (if you're of my age, late 50s) has been gone for a very long time now and will never come back. Just like the phrase "security by obscurity" the same concept applies to privacy. When I was a kid there was no such thing as a publicly searchable online database of public records. Trying to find information in public records about anyone was an incredibly tedious and laborious process that was also largely geographically constrained as well. It wasn't easy for an investigator in California to search public records in the Highland County, Virginia, courthouse without traveling a great distance or engaging someone else to do that legwork. Now, virtually any public record you can think of, anywhere it's been recorded, can be searched not just nationwide, but worldwide. There is no "obscurity" anymore in any meaningful sense of that word.

Thus, my only real concern secondary to breaches is the short term cyberspace "smash and grab" activity that can ensue and, if enough personal data is breached and can be combined with other public sources, a long term concern about identity theft. But taking a few simple steps like freezing your records at all the credit agencies makes the latter, or the worst parts about it, very difficult to do in the first place.

Just musing . . .

 

[alexsmith2709]

While i agree with you on the most part, the sites that gather information in one easy place only really work in US. Here in UK those sites dont hold much information, most of the information has to be found manually and even then, not a lot of information is available.
I could search for a US citizen on one of those sites and find everything from name, address (including previous addresses), relatives, car they drive, any court records, any phone numbers, but in the UK that information is not publicly available, so any extra information such as any sites they are/have been a member of and any passwords such as "mypartnersname123" help gather information.

Social media is by far the best place to gather intelligence on someone, but information in a data breach can lead you to find that social media profile or confirm one you have found is the correct target. I dont really post on social media any more (i was guilty of it in the past) and my profiles are as locked down as they can be.

I do not use any "personalised" passwords and try not to use any dictionary words, not that i have anything to hide from anyone wanting to investigate me, but by not using dictionary words you are one small step more secure in terms of someone guessing your password, not that this matters in a data breach, but also will not appear to have any personal link to anyone viewing it.

We have gotten a little off topic from the news about data breaches, but i thought i'd put forward my views about data breaches when most people think they are safe as soon as they have changed their password (which in the most part they are). I hadnt thought about it until recently.

 

[britechguy]

@alexsmith2709

Your observations about what's available in different countries are definitely illuminating.

When it comes to "what can be collected" I'm always writing from my own personal experience which is, of course, USA-centric. Other countries definitely still have far stronger privacy laws and what is available to the public electronically is significantly more restricted.