An Astonishing 773 Million Records Exposed in Monster Breach

There are breaches, and there are megabreaches, and there’s Equifax. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.

The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.

The Hack

If anything, the above numbers belie the real volume of the breach, as they reflect Hunt’s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.

The trove appeared briefly on MEGA, the cloud service, and persisted on what Hunt refers to as “a popular hacking forum.” It sat in a folder called Collection #1, which contained over 12,000 files that weigh in at over 87 gigabytes. While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.

“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”

That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.

Who’s Affected?

The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across the whole wide internet.

The silver lining in Collection #1 going public is that you can definitively find out if your email and password were among the impacted accounts. Hunt has already loaded them into Have I Been Pwned; just type in your email address and keep those fingers crossed. While you’re there you can also find out how many previous breaches you’ve been a victim of. Whatever password you’re using on those accounts, change it.

Have I Been Pwned also introduced a password-search feature a year and a half ago; you can just type in whatever passwords go with your most sensitive accounts to see if they’re out in the open. If they are, change them.

And while you’re at it, get a password manager. It’s well past time.

How Serious Is This?

Pretty darn serious! While it doesn’t appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving. First, around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.

Then there’s the way in which those passwords are saved in Collection #1. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use,” says Hunt. Instead, the only technical prowess someone with access to the folders needs to break into your accounts is the ability to scroll and click.

And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites—until it got taken down—and then on a public hacking site. They weren’t even for sale; they were just available for anyone to take.

The usual advice for protecting yourself applies. Never reuse passwords across multiple sites; it increases your exposure by orders of magnitude. Get a password manager. Have I Been Pwned integrates directly into 1Password—automatically checking all of your passwords against its database—but you’ve got no shortage of good options. Enable app-based two-factor authentication on as many accounts as you can, so that a password isn’t your only line of defense. And if you do find your email address or one of your passwords in Have I Been Pwned, at least know that you’re in good company.


More Great WIRED Stories

Related Posts:

  • No Related Posts

Apple, Amazon called out for 'incorrect' Taiwan, Hong Kong references

TAIPEI/SHANGHAI (Reuters) – One of China’s top government-linked think tanks has called out Apple Inc, Amazon.com Inc and other foreign companies for not referring to Hong Kong and Taiwan as part of China in a report that provoked a stern reaction from Taipei.

FILE PHOTO: An electronic screen displays the Apple Inc. logo on the exterior of the Nasdaq Market Site following the close of the day’s trading session in New York City, New York, U.S., August 2, 2018. REUTERS/Mike Segar/File Photo

The Chinese Academy of Social Sciences (CASS) said in a report this month that 66 of the world’s 500 largest companies had used “incorrect labels” for Taiwan and 53 had errors in the way they referred to Hong Kong, according to China’s Legal Daily newspaper. It said 45 had referred to both territories incorrectly.

Beijing considers self-ruled Taiwan a wayward province of China and the former British colony of Hong Kong returned to Chinese rule in 1997 and operates as a semi-autonomous territory.

China last year ramped up pressure on foreign companies including Marriott International and Qantas for referring to Taiwan and Hong Kong as separate from China in drop down menus or other material.

The report was co-written by CASS and the Internet Development Research Institution of Peking University. An official at the Internet Development Research Institution told Reuters that it had not yet been published to the public and declined to provide a copy.

A spokesman for Taiwan President Tsai Ing-wen said Taiwan would not bow to Chinese pressure.

“As for China’s related out-of-control actions, we need to remind the international community to face this squarely and to unite efforts to reduce and contain these actions,” Alex Huang told reporters in Taipei.

Beijing has stepped up pressure on Taiwan since Tsai, from the pro-independence ruling party, took office in 2016.

That has included rising Chinese scrutiny over how companies from airlines, such as Air Canada, to retailers, such as Gap, refer to the democratic island in recent months.

Nike Inc, Siemens AG, ABB, Subaru and others were also on the list. Apple, Amazon, ABB, Siemens, Subaru and Nike did not immediately respond to Reuters’ requests for comment.

Reporting By Yimou Lee, Jess Macy Yu, Josh Horwitz; Additional Reporting by Shanghai Newsroom, Gao Liangping, Cate Cadell, Pei Li, Brenda Goh and Naomi Tajitsu in TOKYO; Editing by Paul Tait and Nick Macfie

Related Posts:

  • No Related Posts

Exclusive: Facebook brings stricter ads rules to countries with big 2019 votes

SAN FRANCISCO (Reuters) – Facebook Inc told Reuters on Tuesday that it would extend some of its political advertising rules and tools for curbing election interference to India, Nigeria, Ukraine and the European Union before significant votes in the next few months.

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Facebook logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

As the largest social media service in nearly every big country, Facebook since 2016 has become a means for politicians and their adversaries to distribute fake news and other propaganda.

Buying Facebook ads can widen the audience for such material, but some of those influence efforts may violate election rules and the company’s policies.

Under pressure from authorities around the world, Facebook last year introduced several initiatives to increase oversight of political ads.

Beginning on Wednesday in Nigeria, only advertisers located in the country will be able to run electoral ads, mirroring a policy unveiled during an Irish referendum last May, Katie Harbath, Facebook’s director of global politics and outreach, said in an interview.

The same policy will take effect in Ukraine in February. Nigeria holds a presidential election on Feb. 16, while Ukraine will follow on March 31.

In India, which votes for parliament this spring, Facebook will place electoral ads in a searchable online library starting from next month, said Rob Leathern, a director of product management at the company.

“We’re learning from every country,” Leathern said. “We know we’re not going to be perfect, but our goal is continuing, ongoing improvement.”

Facebook believes that holding the ads in a library for seven years is a key part of fighting intereference, he added.

The library will resemble archives brought to the United States, Brazil and Britain last year.

The newfound transparency drew some applause from elected officials and campaign accountability groups, but they also criticized Facebook for allowing advertisers in the United States to obfuscate their identities.

The Indian archive will contain contact information for some ad buyers or their official regulatory certificates. For individuals buying political ads, Facebook said it would ensure their listed name matches government-issued documents.

The European Union would get a version of that authorization and transparency system ahead of the bloc’s parliamentary elections in May, Leathern said.

The ad hoc approach, with varying policies and transparency depending on the region, reflects local laws and conversations with governments and civil society groups, Harbath said.

That means extra steps to verify identities and locations of political ad buyers in the United States and India will not be introduced in every big election this year, Leathern said.

In addition, ad libraries in some countries will not include what the company calls “issue” ads, Leathern said.

Facebook’s U.S. archive includes ads about much-debated issues such as climate change and immigration policy even though they may not directly relate to a ballot measure.

Australia, Indonesia, Israel and the Philippines are among nations holding key votes this year for which Facebook said it is still weighing policies.

Leathern and Harbath said they hoped to have a set of tools that applies to advertisers globally by the end of June. They declined to elaborate, saying lessons from the next couple of months would help shape the worldwide product.

FILE PHOTO: The logo of Facebook is pictured during the Viva Tech start-up and technology summit in Paris, France, May 25, 2018. REUTERS/Charles Platiau/File Photo

“Our goal was to get to a global solution,” Harbath said. “And so, until we can get to that in June, we had to look at the different elections and what we think we can do.”

Other Facebook teams remain focused on identifying problematic political behavior unrelated to ads.

Last month, researchers working for a U.S. Senate committee concluded that the Russian government’s Internet Research Agency used social media ads and regular posts on inauthentic accounts to promote then presidential candidate Donald Trump to millions of Americans. Russia has denied the accusation.

Reporting by Paresh Dave; Editing by Clarence Fernandez

Related Posts:

  • No Related Posts

Fatal error: Uncaught exception 'wfWAFStorageFileException' with message 'Unable to save temporary file for atomic writing.' in /home/great/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:30 Stack trace: #0 /home/great/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(650): wfWAFStorageFile::atomicFilePutContents('/home/great/pub...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/great/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 30