Email addresses and passwords leaked. How to find out if you are affected.

[David Baxter PhD]

2.2 billion email addresses and passwords leaked - are you affected?
Ashampoo Blog
Feb 5, 2019

Usually, large (and illegal) email and password collections are an expensive commodity. Hackers, intelligence agencies and spammers tend to pay good money for extensive and detailed data sets on the dark web to support their activities. Recently, "Collection #1" was circulated and caught the eye of IT security expert Troy Hunt. It contained 773 million email addresses and 21 million passwords in clear text, much to the alarm of many users. One week later, it became apparent the data set was only the tip of the ice berg.

While originally assumed to be a rare find, "Collection #1" with its 87 GB and 12,000 individual files, was quickly overshadowed by "Collection #2" and "Collection #5", totaling 600 GB. The sets are still being analyzed but, so far, 2.2 billion email addresses and passwords have been identified, not all of them in readable clear text, though. It's likely the data was stolen from various companies and other facilities over an extended period of time. And since the lists are now easily accessible by anyone through common search engines, it's high time you changed your passwords.
The problem for many is they use the same combination of email address and password for multiple portals and services. Once hackers get hold of a collection, they tend to employ a strategy called "credential stuffing" that involves automated login requests directed against web applications. The more accounts are linked to a single email password pair, the higher the success rate (Amazon and eBay are common first strike targets). Social networks are also frequently targeted, so be wary should you suddenly spot ads on one of your friends' profiles - they might be affected.

Check out the dedicated website of Hasso-Plattner-Institut Identity Leak Checker to find out whether your email address is affected.



Read more...

 

[David Baxter PhD]

I found that one of my email accounts may have been affected (it was on an undetermined 2019 list with no details so it may not have disclosed any current passwords but I didn't want to take that chance) and changed that password.

Notes:

1. If you get an alert that your email address is on a leaked list, before you panic check the date and the details. For example, my list showed a 2014 entry for a tech forum I no longer frequent, so the password was not my email account password but the password for logging into that forum. That account was updated at the time after the forum notified all members of the breach so whatever password they had no longer exists
2. There also many spam/scam emails circulating currently that warn you they have invaded your email account and that they know about your online habits, and then demand a ransom in bitcoin or by some other means. These are trivial and do NOT mean that your account has been compromised. In my case, the emails I receive (which now go directly to spam) are about a password I have not used since the 80s or 90s so I know full well they are bogus.
3. It is a good reminder to update your passwords from time to time and to use secure passwords. Specifically,
   • most importantly, longer passwords are more difficult to crack,
   • mixing uppercase and lowercase helps,
   • mixing alphabetical and numerical characters helps, and
   • adding characters like punctuation or currency signs helps.

 

[GaryQ]

The sheer number of breached sites and login/password info being circulated around the net is unbelievable.

The latest file going around contains roughly 2 billion username & passwords and is said to be 850GB of data. The last I read about it was that 100 were sharing it and 1000 were downloading it when it came out. It is said to contain 2 billion user/password combinations with many passwords already in plaintext (readable) umhashed (need to be cracked but the shorter and simpler a password is or frequently reused the easier it is to crack from hashes.

it is called Collection #2-5 and follows the open release of Collection #1 not long ago which contained 773 million unique user/password combinations.

this site (Ignore the advertising for 1passeord manager) let’s you search by email and also by password to see if you have been pawned. FOR LOGICAL SAFETY REASONS DO NOT ENTER BOTH YOUR USERNAME AND PASSWORD. It is a free service and is up to Collection #1. Might take a while for Collection 2-5 to be usable by anyone with good intent. Those with malicious intent are most likely using what they can from the list already.
you can also sign up for email notification any time your email address shows up in a new breach.

https://haveibeenpwned.com/

 

[David Baxter PhD]

You can just enter your email at Identity Leak Checker to see if your email address was one of those compromised.

I prefer that because you are not entrusting any current passwords to anyone.

 

[GaryQ]

The password option is only an option. You can search by email only on https://haveibeenpwned.com/

I only mentioned the password option ito advise people not to enter both since it is something that is possible but definitely not recommended.
I like haveibeenpawned for the fact that he monitors all new lists and seems to be the fastest at doing so. if I pop up on a new list I get an email notification. Aside form his annoying push to get 1password manager (which is easily ignored) his reputation is solid

There are many sites/options available. Just make sure you use one that has a very strong reputation.

Many places just use haveibeenpawned's API and offer the service as a means of getting your email address(es) to add to a spam list. Other sites try to actually sucker you into entering email and password for obvious nefarious reasons.

I subscribed to the notifications but the main reason I use his site is that I also download the sha1 hashed unique password list and import to a MySQL database and can then search offline if any of my passwords pop up since not all pawned passwords are email/password some are username/password logins. And nobody sees the passwords I search for but me (of course that's assuming the integrity of my network hasn't been compromised)