In what is considered to be the largest cache of data that has been hacked, over 770 million emails, 21 million passwords, plus other leaks of FBI records and Social Security numbers were exposed, now putting millions of Americans at risk for Identity theft and fraud.
Security expert Troy Hunt outlines what has been released:
Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows.It’s made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that’s a sizeable amount more than a 32-bit integer can hold.)
The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP.
There are 21,222,975 unique passwords. As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements. Regardless of best efforts, the end result is not perfect nor does it need to be. It’ll be 99.x% perfect though and that x% has very little bearing on the practical use of this data. And yes, they’re all now in Pwned Passwords, more on that soon.
I recommend reading all of Troy’s lengthy but excellent article on the subject.
Tyler Durden adds:
The new finding, called “Collection #1” by Hunt, consists of 2.6 billion rows and is made up of “many different individual data breaches from literally thousands of different sources.”
New breach: The "Collection #1" credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
The database going back as far as 2008 is a staggering 87GB in size, and comprises 1.1 billion unique combinations of email addresses and passwords – many of which have been “dehashed,” or cracked and converted back to plain text.
This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don’t always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)
The unique email addresses totalled 772,904,991. This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of “cleanliness”. This number makes it the single largest breach ever to be loaded into HIBP. –Troy Hunt
The collection was dumped on anonymous storage site MEGA before it was posted on a popular hacking forum for anyone to access.
Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image: –Troy Hunt
Not only am I on the list, I also received a phishing email telling me on of the throw away passwords I used together with that email. So at least in my case I know who got hacked… and who will _NOT_ be receiving a bitcoin ;D
— Ruben W. (@ruben_we) January 17, 2019
While Durden claims that credit card data and Social Security numbers were not a part of the publication, Forbes is reporting that a breach in the Oklahoma Securities Commission resulted in millions of Social Security numbers, as well as FBI records being exposed.
“It represents a compromise of the entire integrity of the Oklahoma department of securities’ network,” said Chris Vickery, head of research at UpGuard, which is revealing its technical findings on Wednesday. “It affects an entire state level agency. … It’s massively noteworthy.”
The Oklahoma department regulates all financial securities business happening in the state. It may be little surprise there was leaked information on FBI cases. But the amount and variety of data astonished Vickery and Pollock.
Vickery said the FBI files contained “all sorts of archive enforcement actions” dating back seven years (the earliest file creation date was 2012). The documents included spreadsheets with agent-filled timelines of interviews related to investigations, emails from parties involved in myriad cases and bank transaction histories. There were also copies of letters from subjects, witnesses and other parties involved in FBI investigations.
Major companies were also named in the leaked FBI file including AT&T, Goldman Sachs and Lehman Brothers, among many others. To be clear, it’s not apparent that any of the organizations were accused of securities crimes, but they were either participating in or linked to FBI cases in some capacity.
Asked if the FBI had comment on the leak of case files, a spokesperson for the law enforcement body said in an emailed statement: “Adhering to Department of Justice policy, the FBI neither confirms nor denies any investigation.”
Just as concerning, the leak also included email archives stretching back 17 years, thousands of social security numbers and data from the 1980s onwards.
Additionally, Facebook also has “discovered” a security breach that affects almost 50 million users. Facebook, VP of Product Management Guy Rosen posted:
On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Here is the action we have already taken. First, we’ve fixed the vulnerability and informed law enforcement.
Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Don’t worry, you can still trust Fascistbook (wink, wink) with your information. Does this look like a guy you can trust any more than zombie Mark Zuckerberg?
Many people ignorantly believe their information is private and secure. It’s not, not even from those who use such services as Facebook. However, my guess is that this will come to the forefront in the near future as something that “government must address,” which will turn into nothing short of a complete, unlawful surveillance state of every single piece of information that people might have.
If you are looking for something to protect yourself against identity theft and fraud that provides $5 million in coverage and does all the legwork to reclaim your good name, then don’t look to Lifeloc, click here.
You’ve been warned.Don't forget to Like Freedom Outpost on Facebook and Twitter, and follow our friends at RepublicanLegion.com.
Become an insider!
Sign up for the free Freedom Outpost email newsletter, and we'll make sure to keep you in the loop.