Massive breach leaks 773 million email addresses, 21 million passwords

[RV_]

This post will cover the latest major breach of our data, how to check if any of your data has been involved, and then I discuss the best passowrd managers paid and free, for 2019 according to PC magazine articles. There are things you can do. This goes across OS' as if they get a Linux user's passwords and email etc. it is not because of OS choice or OS of choice vulnerability.

When major data breaches occur many folks don't know what to do. Did they get mine? How do I know? Go here: https://haveibeenpwned.com/ and enter your email address to see if your passwords have been taken. If so you might want to consider getting a password manager. I will be doing that for the first time in addition to my VPN, which for some sites and streaming services I have to turn off. The two breaches of mine were one from 2013 with Adobe which email and password have never been used again. The other was from River City Media, and while they did get addresses, they got no passwords on the second. However the 2012 Disqus breach announced in 2017 did get an old password no longer used.

Scroll down when you check if you were pwned to see your details if any. They are important. (My wife's emails had no pwns!)

My details, pwned results are these:

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames

 

River City Media Spam List (spam list): In January 2017, a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.

Compromised data: Email addresses, IP addresses, Names, Physical addresses

Disqus: In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames. Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.

Compromised data: Email addresses, Passwords, Usernames

 

Read about this latest huge breach!

Excerpt:

" The best time to stop reusing old passwords was 10 years ago. The second best time is now.

In one of the largest public data breaches, a collection containing more than 87 gigabytes of personal information was leaked online.

The data dump, titled "Collection #1," was hosted on the cloud service Mega, and had 772,904,991 email addresses, and 21,222,975 passwords. The treasure trove of private information was discovered by Troy Hunt, a security researcher and founder of the "Have I Been Pwned" service.

The login credentials appear to have been stockpiled over years, as some passwords and emails come from 2008, Hunt said on his blog. The information comes from more than 2,000 different sources, Hunt said. You can check if you were affected by the breach by entering your email address on Have I Been Pwned. And you can see if individual passwords were compromised by clicking here. 

Breaches continue to happen on a massive scale as companies collect data on millions of people and fail to protect them properly. Marriott experienced one of the largest personal data breaches in history, losing personal information belonging to 383 million guests, while hackers hit Yahoo and stole data belonging to 3 billion accounts. The big numbers don't always equate to dire after-effects; the breach of Yahoo accounts, for instance, isn't likely to have the same potential for damage as the compromising of 147.7 million Social Security numbers taken in the Equifax breach.  

With this recent leak, it's a reminder for people to change their passwords, or start using a password manager that can automatically generate secure passwords for you. 

The best defense...: Data breaches can sucker-punch you. Prepare to fight back."

 

The full article is here with a lot of good hotlinks to other related information: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/?ftag=CAD1acfa04&bhid=20640562413884385817807471581031

 

I would like the members here to open a new topic on the connecting on the road forum citing this article and recommendations for password managers and tips. I would like to read them myself from folks using password managers because I found old passwords breached when I went to the haveIbeen pwnd website (Link above)on both of my email addresses.

 

It is a royal PITA to change all my email addresses. More of a PITA to get identity theft resolved or monies returned. Fortunately I have already begun moving my email addresses in preparation for our move to another state. I am now changing the passwords to our important websites for shopping and banking. And after I read all of these links, I will pick a free or paid password manager.

 

Here is an excellent description of password managers:

https://www.sans.org/security-awareness-training/ouch-newsletter/2017/password-managers

 

Here is PC Magazine's

The Best Password Managers for 2019

Still using your kid's birthday as your universal password? You're heading toward trouble. With a password manager, you can have a unique and strong password for every secure website. We've evaluated two dozen of the best password managers to help you choose.

https://www.pcmag.com/article2/0,2817,2407168,00.asp

 

All of the products in the chart above earned at least 3.5 stars, and all of them cost money (though you can use some of them for free if you accept certain limitations). If you don't want to spend money and don't want limitations, don't worry. We've rounded up free password managers in a separate article. Most of the free tools lack the most advanced features, but they get the job done. Whether free or paid, a password manager is something everybody needs.

Here are the best free ones article:

The Best Free Password Managers for 2019

A password like '123456' may be easy to remember, but it's also equally easy to guess or hack. These are the best free password managers that can help you keep track of strong, unique passwords for every secure site you use.

https://www.pcmag.com/article2/0,2817,2475964,00.asp

I am likely to go with the #1 or #2 password manager on the free list. But if anyone has experience with Password managers for pay and why one of them might be better with personal experience please chime in.

Safe surfing and travels!

[theeyres]

I've used the free Last Pass for years and find it very easy. It's free across multiple platforms and computers. I don't see any reason to buy the premium version.

[Jaydrvr]

8 hours ago, theeyres said:

I've used the free Last Pass for years and find it very easy. It's free across multiple platforms and computers. I don't see any reason to buy the premium version.

Ditto on Last Pass. I paid for Premium until they included Android apps support in the basic version. Very happy with it for many years.

[justRich]

Nothing new in that headline.  The "leak" is a composite of many other breaches and released for sale.  It's not a "new breach".

https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/

 

[RV_]

Rich my post above said:

" The login credentials appear to have been stockpiled over years, as some passwords and emails come from 2008, Hunt said on his blog. The information comes from more than 2,000 different sources, Hunt said. You can check if you were affected by the breach by entering your email address on Have I Been Pwned. And you can see if individual passwords were compromised by clicking here.  "

The idea being to get folks the information to check at the free Have I Been Pwnd site. Like the credit bureau breach it was breached years before too that they tried to hide. If a cyber criminal gets all your info from a newer or old listing today you aren't so much worried if your breach was current. Now you can check if you don't keep up with the pwnd service.

[RV_]

Thanks eyres, and Jay. I've heard that about last pass. Free is a good way to trial the service.

Safe computing.

[Second Chance]

We've used Efficient Password Manager for years, now. There are free and pay versions and it will generate random, secure passwords for you, as well. It has backup and restore functions which some of the other free ones don't.

Rob

[justRich]

To get a feel for how secure a password is, try a password checker such as: https://howsecureismypassword.net/

[RV_]

Rob,

Thanks! I will look into it as well when I am ready. I am having to move and change all my passwords and email addresses for all my vendors AND services so I will wait until we are settled at the other end.