MASSIVE data leak; 700 million emails compromised

[linkfanpc]

Apologies if this was already posted but i checked and didn't see.

Two days ago, jan 17, a huge list of well over 700 million cracked emails, 20 million of which with their passwords also unlocked, were unearthed on a popular hacking forum. Here's some articles detailing them.

https://gizmodo.com/mother-of-all-breac ... 1831833456
https://www.troyhunt.com/the-773-millio ... ata-reach/

You can check if your email has become insecure here: https://haveibeenpwned.com/
And any passwords, particularly ones you use on multiple sites, here: https://haveibeenpwned.com/Passwords

Obviously they're both secure but if you have any doubt feel free to not use them.

According to my email, three people from Korea, the Netherlands and the US had my email credentials, including my password,, and tried to get in, the Korea person doing it on the day of the list coming out. My security stopped them and i changed my password but it could have been much worse.

Everyone, check your emails ASAP! If any suspicious activity is reported change your password immediately, and remember to activate two-factor authentication on your sites like banking websites, Steam, Epic Games, etc, and add an emergency email or phone number to your email. It's what saved me from potentially losing everything.

I've heard very little on this and thought i needed to pass on the news. Stay safe.

[MagicManICT]

It's just going to get worse. A few years ago, Target's authentication system got cracked and a few million credit cards were stolen. If you shopped at Target at that time between just before Christmas and about six to eight weeks before, your card was stolen. Before that, Sony got hacked and pirates made off with a few million Playstation user account credentials. The future is looking extremely grim. Quantum computing is coming, and will just make all of this seem like a sweet dream.

if you care about the security of your accounts, get a password manager that you keep on a secure device and will generate a random, hard to guess password for each site. Even Microsoft, who went from "we want you to log into your computer with your Microsoft account," went to "We recommend you create a personal PIN to log into your device different from your account password."

Want something interesting? There's one of those word cloud things floating around with the 10000 most commonly used passwords. Fun fact: "password" has gone from #1 to just being "in the top 10." How do we learn these things? Hacker posts like this.

[shubla]

Better to just turn into amish these days!

[Igglebert]

There was also that large Equifax database breach that happened at the beginning of 2018. 150+ Million in credit card info getting leaked or something.

[shubla]

If you don't want to get used to the Amish-way of living. There is indeed another option.
some tips:

1. Use 2FA everywhere where it is possible, AND DO WRITE DOWN ALL OF THE RECOVERY CODES AND DON'T EVER LOSE THEM, recovering your account without them if you lose your 2fa-device (phone gets stolen or broken for example) is in some cases 100% impossible, and even if it would not be impossible, the process is long and frustrating (If it would be easy, the attacker could use this and 2fa would be useless) If your house burns down or something, get new recovery codes for all the sites.

2. Don't re-use passwords, ever. Preferably use randomly generated passwords. Human generated passwords are bad every time, no exceptions.

3. Use long passwords, after certain length it does not really add any additional security, but even if site would allow you to use like 6-character passwords of a-z letters, don't do it. Preferably generate random passwords and use symbols and numbers in them if the site allows something like 16 characters will be enough for sure.

The question now might be, how are you going to remember all of your 16-character passwords that are randomly generated?
Well... A password manager is a good idea. But be careful on what manager you use. Some of them may be bad.
For password managers... use 2FA and some hard-to-guess passphrase, you can make it long and complex, as you only have to remember 1 password now, preferably write it down as well just in case you forget it. Write down the recovery codes for 2FA also.

One might now ask: "What if somebody finds all of my passwords that I wrote down?" Well... if somebody breaks to your house, they are probably ready to capture and torture you for your passwords, so it doesn't really matter anymore at this point. If you are like a CEO of a big company or there are reasons why some people would actively try to break into your house and computer to get data, you should probably get advice on how to protect your accounts, computer and yourself from somebody more professional.

Basically it is a better idea to have 1 password that is very secure which will tell all of your other passwords, instead of using same or weak passwords on sites that you use.

And even if you would decide not to do any of those things, do at least one thing. Secure your e-mail account. If you lose your email, its all over (except if you use 2-FA). With your email address, they will see where you have accounts, and they can easily reset all passwords on sites that allow you to reset passwords through only your email address.

Of course, none of this prevents somebody from stealing your accounts by other means. There are still plenty of ways to do so, such as infecting your computer etc. But if you follow these tips, at least they don't get your account from one of these data breaches. (Which is probably the most common way for people to obtain accounts of other people on various sites)

You may not want to use lastpass...
https://en.wikipedia.org/wiki/LastPass#Security_issues
or any other 3rd party password management site actually, especially if they are not free.

I recommend to use https://keepass.info/ or just a text file with GPG... there are many other options as well, if you know what you are doing.

Security through obscurity (steganography for example) works really well when combined with some encryption, excluding those who are specifically targeting you and are very dedicated to get into your accounts. But then again, in this case they may just come up to your door and then your passwords leaking are least of your problems.
I have been playing with a thought of encoding my passwords to some images on my website, so they would be easily accessible from any device with some software, as no one would probably ever guess that my passwords are in those images.

[Pupsi]

but i have changed password 11 of January. and it has double perpetration security. Should i care?

[MagicManICT]

Use long passwords, after certain length it does not really add any additional security, but even if site would allow you to use like 6-character passwords of a-z letters, don't do it. Preferably generate random passwords and use symbols and numbers in them if the site allows something like 16 characters will be enough for sure.

A 16 character passphrase of just a-z (all lowercase, 26 letters using the English language) is harder to brute force than an 8 character password of the entire UNICODE character set.
That's 4.3 x 10^22 vs 2^64 or 1.8 x 10^19. And a 4 word passphrase can be much easier to remember.

https://xkcd.com/936/

We need to retrain ourselves to memorizing bible passages, Shakespeare, and poetry... or whatever floats your boat. I'm not suggesting using those things, but being able to memorize such things trains the mind to memorize mnemonics for actual passphrases.

But then again, in this case they may just come up to your door and then your passwords leaking are least of your problems.
I have been playing with a thought of encoding my passwords to some images on my website, so they would be easily accessible from any device with some software, as no one would probably ever guess that my passwords are in those images.

This is actually a big thing. There are issues with it, but it's reliable and very secure when used properly.

[MagicManICT]

And sorry for the double post, but I've had the same email for close to 20 years now. I've had it hacked a couple of times, and the worst that has happened.... some spam got sent from it once to everyone in my mailing lists or that had a history through my old collection of emails I never got rid of.

[Ysh]

If you don't want to get used to the Amish-way of living. There is indeed another option.
some tips:

1. Use 2FA everywhere where it is possible, AND DO WRITE DOWN ALL OF THE RECOVERY CODES AND DON'T EVER LOSE THEM, recovering your account without them if you lose your 2fa-device (phone gets stolen or broken for example) is in some cases 100% impossible, and even if it would not be impossible, the process is long and frustrating (If it would be easy, the attacker could use this and 2fa would be useless) If your house burns down or something, get new recovery codes for all the sites.

2. Don't re-use passwords, ever. Preferably use randomly generated passwords. Human generated passwords are bad every time, no exceptions.

3. Use long passwords, after certain length it does not really add any additional security, but even if site would allow you to use like 6-character passwords of a-z letters, don't do it. Preferably generate random passwords and use symbols and numbers in them if the site allows something like 16 characters will be enough for sure.

The question now might be, how are you going to remember all of your 16-character passwords that are randomly generated?
Well... A password manager is a good idea. But be careful on what manager you use. Some of them may be bad.
For password managers... use 2FA and some hard-to-guess passphrase, you can make it long and complex, as you only have to remember 1 password now, preferably write it down as well just in case you forget it. Write down the recovery codes for 2FA also.

One might now ask: "What if somebody finds all of my passwords that I wrote down?" Well... if somebody breaks to your house, they are probably ready to capture and torture you for your passwords, so it doesn't really matter anymore at this point. If you are like a CEO of a big company or there are reasons why some people would actively try to break into your house and computer to get data, you should probably get advice on how to protect your accounts, computer and yourself from somebody more professional.

Basically it is a better idea to have 1 password that is very secure which will tell all of your other passwords, instead of using same or weak passwords on sites that you use.

And even if you would decide not to do any of those things, do at least one thing. Secure your e-mail account. If you lose your email, its all over (except if you use 2-FA). With your email address, they will see where you have accounts, and they can easily reset all passwords on sites that allow you to reset passwords through only your email address.

Of course, none of this prevents somebody from stealing your accounts by other means. There are still plenty of ways to do so, such as infecting your computer etc. But if you follow these tips, at least they don't get your account from one of these data breaches. (Which is probably the most common way for people to obtain accounts of other people on various sites)

You may not want to use lastpass...
https://en.wikipedia.org/wiki/LastPass#Security_issues
or any other 3rd party password management site actually, especially if they are not free.

I recommend to use https://keepass.info/ or just a text file with GPG... there are many other options as well, if you know what you are doing.

Security through obscurity (steganography for example) works really well when combined with some encryption, excluding those who are specifically targeting you and are very dedicated to get into your accounts. But then again, in this case they may just come up to your door and then your passwords leaking are least of your problems.
I have been playing with a thought of encoding my passwords to some images on my website, so they would be easily accessible from any device with some software, as no one would probably ever guess that my passwords are in those images.

As far as password manager is goes, I use this one. I think maybe it is less manager and more generator. Basically it will generate password based on site name and master password, so there is no password file that can be lost or stolen.

[MagicManICT]

As far as password manager is goes, I use this one. I think maybe it is less manager and more generator. Basically it will generate password based on site name and master password, so there is no password file that can be lost or stolen.

Still hackable, though.