For perspective, the Have I Been Pwned service that has tracked data breaches since 2013 has "only" 15 billion accounts in its database. edit: This article could really use a copyeditor; that,...
For perspective, the Have I Been Pwned service that has tracked data breaches since 2013 has "only" 15 billion accounts in its database.
edit: This article could really use a copyeditor; that, plus the somewhat vague (and ChatGPT-sounding) "researchers" mentioned in the "Cybernews" article it cites, makes me suspect this is largely collections of old breaches being puffed up for clicks. I'd wait for this story to be confirmed by HIBP or a more reliable source like Ars Technica or Wired before freaking out too much.
If by self posts you mean posting ones own article, I agree. At least they could have a dedicated group so people could unsubscribe. This topic is meant to ask the question of what steps people...
If by self posts you mean posting ones own article, I agree. At least they could have a dedicated group so people could unsubscribe.
This topic is meant to ask the question of what steps people would ideally take after a major breach of data is reported. If the moderators wish to remove the link, I'm okay with that as the article is admittedly of poor quality. Will removing the link remove the entire conversation though, as it's a link topic?
From the article: Are you saying this could be misinfo? I was definitely going to complain about the journalist using ChatCPT to do his work but you beat me to it. I'm already completely sick of...
From the article:
Remarkably, I am told that none of these datasets have been reported as leaked previously, this is all new data. Well, almost none: the 184 million password database I mentioned at the start of the article is the only exception.
Are you saying this could be misinfo? I was definitely going to complain about the journalist using ChatCPT to do his work but you beat me to it. I'm already completely sick of the "this is not just X, it's Y" etc.
Not misinfo, necessarily, just puffery. Sounds like an affiliate blogger slapping a sensationalist headline on AI-generated quotes about a bunch of existing (poorly-labeled) data dumps they found...
Not misinfo, necessarily, just puffery. Sounds like an affiliate blogger slapping a sensationalist headline on AI-generated quotes about a bunch of existing (poorly-labeled) data dumps they found on Tor, or leaning on a freelance "researcher" who did the same. The lack of identifiable sourcing for the claims is a red flag, and the language ("This is not just a leak – it’s a blueprint for mass exploitation. [...] This is fresh, weaponizable intelligence at scale", not to mention all those em dashes) is pretty blatant ChatGPTese.
What threw me off, right after a quote from a Guccione: That sounds like something a teenage human would say if they were trying to emulate what ChatGPT would say.
What threw me off, right after a quote from a Guccione:
And Guccione certainly isn’t wrong, far from it in fact.
That sounds like something a teenage human would say if they were trying to emulate what ChatGPT would say.
It's misleadingly worded. Essentially, the exact datasets as a whole have not been reported before, but the actual credentials inside it may have been covered before. They even mention that there...
It's misleadingly worded. Essentially, the exact datasets as a whole have not been reported before, but the actual credentials inside it may have been covered before. They even mention that there are overlapping records within the 16b figure:
There was no way to effectively compare the data between different datasets, but it’s safe to say overlapping records are definitely present. In other words, it’s impossible to tell how many people or accounts were actually exposed.
If they weren't able to compare the data within the datasets they found, they probably weren't able to compare the data with previous breaches. They also hint at this possibly being a compilation of old breaches in the opener:
Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.
To anyone panicking about this like I did: it's been brought to my attention that this is likely to be a phishing related breach, rather than the services (Apple, Google) themselves getting...
To anyone panicking about this like I did: it's been brought to my attention that this is likely to be a phishing related breach, rather than the services (Apple, Google) themselves getting breached. So not quite as daunting as it seemed to me at first. Obviously, it's as important as ever to practice caution regarding your passwords.
I always feel out of my depth when this stuff happens and I'm hoping to gain some basic info this time. Can someone here help?
First question:
How can I figure out what data has been leaked? I have more than one Gmail account. How do I know which of those passwords are compromised? I also have Apple, Facebook and GitHub accounts and additionally the article says "various government services" were compromised but it doesn't give more detail, nor an understandable explanation how this even happened.
My password system is a mix of high security passwords + 2FA for very important stuff, long but memorisable passwords for normal important stuff that normally doesn't get leaked (but apparently now may have been) and low security passwords for services that don't have sensitive data. Those get leaked from time to time, which I find out by using a free service that accepts my email address and shows any known leaks where that address is included, and the service that was compromised. I then go and change that password. The highest security passwords have never been leaked to my knowledge and I absolutely must know if they were leaked now. I'm not in a rush due to the 2FA but still.
Second question:
Is it really completely awful to use passwords rather than some password generator? I've never tried one of those because I hate the idea that I don't know what my passwords are and it could become a massive hassle if I lost access to the generator. Also, I'd have to have it on my phone too, but in that scenario losing my phone would be incredibly crushing. I don't know if it would actually less safe, but I would be incredibly anxious if my phone went missing with a password generator on it that has access to every single shred of my existence. It's just too much weight on one device/system. Am I wrong?
Generally your password manager may inform you if it provides that. Outside of that, you can enter your email into sites like Have I Been Pwned and it will tell you what data leaks that the email...
How can I figure out what data has been leaked?
Generally your password manager may inform you if it provides that. Outside of that, you can enter your email into sites like Have I Been Pwned and it will tell you what data leaks that the email has been a part of as well as what data was leaked in it. There's also a separate field to check passwords, but you should be hesitant of doing such things, even if someone recommends it, and doubly so if they link it. In Have I Been Pwned's case, it's not really helpful anyways; I believe it just gives a yes/no answer on the password.
That said, it's certainly going to take some time for them to parse this massive amount of data once they get their hands on it. It's literally more accounts than they already have records of. I would definitely recommend changing your passwords on any important accounts as soon as feasible rather wait to see if you part of it. (You likely don't need to rush, but the longer you wait, the more likely you are to forget about or decide it's not needed.) Criminals are going through the data at the same time and it's very possible they test your account before anyone can warn you.
Is it really completely awful to use passwords rather than some password generator?
Not really. A password generator will be more secure, but a sufficiently difficult password can be more than good enough. Even if you just choose 4 random words of the 1,000 most used words in the English language, and the would-be hackers know as such, that's about 1,000^4, or about one trillion potential combinations that they have to attempt.
In the end though, Multi-Factor Authentication is likely going to do more for your account security than any needlessly complicated password.
I don't use a password manager for anything but the lowest tier passwords. Is this silly? I guess my uneducated fear is that the manager could leak the passwords stored on it. For clarity, I use...
Generally your password manager may inform you if it provides that.
I don't use a password manager for anything but the lowest tier passwords. Is this silly? I guess my uneducated fear is that the manager could leak the passwords stored on it. For clarity, I use the manager(s) on my browser(s) and if there are other kinds, I am unaware of them.
Not really.
Thank you. I'll just replace all passwords with "correcthorsebatterystaple" and I'm good! :)
More seriously speaking, I once saw some info that made it look like this comic got things all wrong, but I forgot where and what, other than that it may have been on Tildes. Let's hope the person shows up to explain!
Listening to the podcast Darknet Diaries will help your OpSec a lot. The two biggest suggestions are “don’t reuse passwords” and “don’t reuse email addresses” these both help ensure that when...
Listening to the podcast Darknet Diaries will help your OpSec a lot. The two biggest suggestions are “don’t reuse passwords” and “don’t reuse email addresses” these both help ensure that when compromised, your other accounts won’t be.
Using unique email addresses everywhere is pretty easy, if your email provider offers unlimited addresses/aliases, and you use a password manager. So if my personal domain is thisismyemail.com,...
Using unique email addresses everywhere is pretty easy, if your email provider offers unlimited addresses/aliases, and you use a password manager.
So if my personal domain is thisismyemail.com, and my email provider lets me use an arbitrary amount of email addresses that are all synced to the same inbox...
Then my email address (alias) for my Tildes account might be tildes@thisismyemail.com and the address for Jimmy's Long Schlong Hot Dongs down the road might be giveittomejimmy@thisismyemail.com. Those are "separate" email addresses from a hacker's point of view, but with my email provider, I have configured them to both go to the same inbox. So to my perspective, they're the same address.
With a password manager, you don't even have to follow a comprehensible scheme for naming each email address for each account you have. So my Tildes account's email address can be ufedhf5753837hfhsd@thisismyemail.com and I don't have to remember that because my password manager handles it automatically.
I think doing this is overkill, but also it's very cool that it's possible.
Is there any email service that will do that behind the scenes with common password managers? Like, sure, I could look up the API documentation for both my password manager and my email provider...
Is there any email service that will do that behind the scenes with common password managers?
Like, sure, I could look up the API documentation for both my password manager and my email provider and roll my own browser extension that does what you said. Of course, to be useful, it would also have to be cross platform.
1Password and Fastmail have an integration together. I can happily recommend either service separately, but they are great paired together. When you have to type in an email for a service,...
1Password and Fastmail have an integration together. I can happily recommend either service separately, but they are great paired together. When you have to type in an email for a service, 1Password will offer to make a random email address, and save it to your vault. It automatically generates that within Fastmail. If the company sells your email and starts sending ads, you can very easily block just that email address. Fastmail by default will generate something at one of it’s domains, but you can also use your own domain. I have *@firstnamelastname.com go to my inbox. I also have a separate domain that is exclusively for these generated emails. So everything to @welda.xyz is blocked by default, but when Fastmail generates something like affluent-otter1869@welda.xyz, that specific address is allowed, with callouts for which website I originally generated it for. Very smooth service.
I do a form of this with gmail. My email is first.last@gmail.com and when I sign up for a service I use first.last+service@gmail.com Not totally obscure like above, but it keeps them unique enough...
Sure, but that requires you to type it in. My password manager already generates random passwords per site, so if there is a way to also generate random emails I would love to hear it.
Sure, but that requires you to type it in. My password manager already generates random passwords per site, so if there is a way to also generate random emails I would love to hear it.
It helps keep hackers to only one account. If they get my Facebook email they can guess but not always my Whole Foods email. Just small help. Sure spammers don’t care, but I don’t get spam these days.
It helps keep hackers to only one account. If they get my Facebook email they can guess but not always my Whole Foods email. Just small help.
Sure spammers don’t care, but I don’t get spam these days.
if someone is trying to get into your shit, they're likely working from a list, though. A lot of people do this system and it works because they aren't targeted... and thats the only reason :)
if someone is trying to get into your shit, they're likely working from a list, though. A lot of people do this system and it works because they aren't targeted... and thats the only reason :)
Do what behind the scenes? Generate a "handle" for an email address automatically (meaning the part in front of the @)? I don't know of any password managers that can handle that. There are email...
Is there any email service that will do that behind the scenes with common password managers?
Do what behind the scenes? Generate a "handle" for an email address automatically (meaning the part in front of the @)? I don't know of any password managers that can handle that. There are email alias services that generate addresses and then just forward them to some actual address you provide, and Bitwarden supports generating aliases from some of those services. That's the closest thing I know of.
With my email provider though, I don't need to set up an address before I use it (such as to register an online account), because any email sent to any address on my domain, that does not have a pre-configured inbox, is automatically sent to a catchall inbox instead.
So for me the utility of an email handle generator would be to save a dozen or two key presses, and I rather like my keyboard :)
It’s easier than you think with Gmail. If your email is first.last@gmail.com you can use a + symbol to add strings to the end of your email and therefore make a unique address for each site....
It’s easier than you think with Gmail. If your email is first.last@gmail.com you can use a + symbol to add strings to the end of your email and therefore make a unique address for each site. Example: first.last+facebook@gmail.com
It’s a small layer of security to keep people from moving laterally through your accounts.
domain + catch-all + blacklisting a few easy addresses like hostmaster, admin, etc — i’ve been in this setup for a few years now. only company had a leak so i bps listed the old email and gave...
domain + catch-all + blacklisting a few easy addresses like hostmaster, admin, etc — i’ve been in this setup for a few years now. only company had a leak so i bps listed the old email and gave them company2@domain.com instead. ezpz.
Using a generated, unique password per service makes you more or less bulletproof. Your browser hangs on to that securely, in the past it was insecure, but now an attacker would need physical...
Using a generated, unique password per service makes you more or less bulletproof. Your browser hangs on to that securely, in the past it was insecure, but now an attacker would need physical access to get anything meaningful.
I use and recommend BitWarden. It means I have to memorize one password, then everything else is secure (by using generated passwords, and even email addresses).
I just mentioned elsewhere but all lower case word based passwords are insecure, because of that comic.
A sentence with some upper case, some special symbols, and a brief random sequence will be uncrackable. MynAm3isquz67!kTildes is secure and you only have to rote memorize "quz67!k"
I actually disagree that a 4 word password is secure, 1 trillion hashes would take on the order of seconds to crack. My template, which I find easy to memorize, is W0wlook!tskuac7fqyTildes Then,...
I actually disagree that a 4 word password is secure, 1 trillion hashes would take on the order of seconds to crack.
My template, which I find easy to memorize, is
W0wlook!tskuac7fqyTildes
Then, each service is unique, it's a sentence I can remember, and I only had to rote memorize "kuac7fqy".
I used to do something like that but use 1password these days. Now I have hundreds of unique 32 character passwords and one password I need to remember.
I used to do something like that but use 1password these days. Now I have hundreds of unique 32 character passwords and one password I need to remember.
I'm on BitWarden and love it, they're totally security breach free since inception. LastPass is best avoided. Looks like 1password is good sans catching strays from an Okta breach (Jesus...
I'm on BitWarden and love it, they're totally security breach free since inception. LastPass is best avoided. Looks like 1password is good sans catching strays from an Okta breach (Jesus Christ...) can't remember why I picked BitWarden over it TBH
I used to do something like this. It all goes to hell when you’re required to change a password (expiration policy, breach, whatever). Now you have to remember if Tildes is the basic formula or a...
I used to do something like this. It all goes to hell when you’re required to change a password (expiration policy, breach, whatever). Now you have to remember if Tildes is the basic formula or a versioned one, and if versioned which number or modifications. And then remember that for every service, including the rarely used ones. Over the years, depending on your usage, it can become a nightmare.
Eh, that's kind of why I said "good enough" rather than using the word "secure"; a vast majority of people are not important enough that someone is going to burn resources to crack a specific...
Eh, that's kind of why I said "good enough" rather than using the word "secure"; a vast majority of people are not important enough that someone is going to burn resources to crack a specific password like that. They also need to know that you're using a four word password, which means you are actively sharing that information. (If you're sharing the methodology of your passwords, skip cracking the password, chances are you're easy prey for just phishing attempts.) Then for most people, your password is just login credentials for an online site, which is going to be rate limited.
But also, using a such password is both more and less secure than the one trillion combinations, but I didn't really feel like it was worth getting into. First, the would-be hackers don't know that you're using a four word combination password, this is generally the main thing to it; security through obscurity. Second, chances are you're probably using four words that make sense together, possibly that can form a sort of sentence, this would make it actually quite predictable and probably reduce it to the millions at best if someone knows your methodology. Third, most sites often have specific requirements on the passwords used, usually a number and a capital letter. Most people will just capitalize the first letter and throw a 1 on the end, but if you can deviate from that you can multiply the combinations by quite a bit.
If you use the best practices while still keeping it memorable, you'll mix up the numbers of words in your password maybe using 5 or 6 instead, capitalize the "most important" word instead of the first, replace a random letter with a number instead of sticking it on the end, use at least one more obscure word, throw your favorite random symbol into the mix that some sites may require anyways. And if you do all that, you increase the potential combinations astronomically, even if the would-be hacker knows your methodology.
Regardless, if you get hacked, it very likely isn't because your password wasn't secure enough. It's because your password got leaked in a data breach or you got hit by some social engineering and unwittingly gave out your password. Even in high value target scenarios, I do believe this is the case. I mean, the title is that 16 billion records were leaked. That's potentially 16 billion opportunities to steal from some random person that couldn't be bothered to change their password; why would you waste your time targeting one specific person who may or may not even leave you with any opportunities should you get into their account?
I like to do a combo of memorized and generated. For my most important and commonly used accounts, I use a method I’ve found that works well for me to come up with memorable passwords and for less...
I like to do a combo of memorized and generated. For my most important and commonly used accounts, I use a method I’ve found that works well for me to come up with memorable passwords and for less important and infrequently used I go for the generator.
This might technically make me more vulnerable to attack if someone figures out my methodology, but with how some important some accounts are these days I can’t risk getting locked out of them. There’s plenty of circumstances in which those passwords might be needed but I can’t use my manager for some reason.
The main downside so far is that it makes changing those passwords more annoying since memorization always takes some time.
I also have a method for creating a strong, long password that I can remember reasonably well. In case I ever forget, the method involves a description of the password that I can write down...
I also have a method for creating a strong, long password that I can remember reasonably well. In case I ever forget, the method involves a description of the password that I can write down because no one else will be able to understand the description.
The downsides are the same as yours: should someone figure out the system anyway, this will expose me, but first they would have to find out where the description is written. And making a new one takes reasonable effort which is why I wouldn't want to do it if the current one in fact has not been leaked.
The article says the passwords were leaked by infostealers, and most servers store passwords so they can't be leaked directly (hashed + salted), so they were probably obtained by phishing. In...
The article says the passwords were leaked by infostealers, and most servers store passwords so they can't be leaked directly (hashed + salted), so they were probably obtained by phishing. In summary, if you only ever entered a password into the real site it's probably safe; however, it's very easy to unknowingly reach a fake login screen practically identical to the real one (the only difference being the URL), e.g. by clicking an official-looking email, and any password entered there would be leaked.
Besides using a password generator, I also recommend using an email service that gives you "masked" emails (I use Fastmail, Firefox and Apple also provide this). These are email addresses that forward everything to your main address, and Fastmail at least also forwards replies through the masked email; if a website is breached and the masked email you gave it gets flooded with spam, you can turn off that particular email and still receive email from other sites and your main address.
Thank you so much. If this is correct, then I can assume my Gmail/Apple and other main accounts are safe. I wouldn't ever access them via clicking some links somewhere. I try to not even open...
The article says the passwords were leaked from infostealers, and most servers store passwords so they can't be leaked directly (hashed + salted), so it's probably phishing. In summary, if you only ever entered a password into the real site it's probably safe; however, it's very easy to unknowingly reach a fake login screen practically identical to the real one (the only difference being the URL), e.g. by clicking an official-looking email, and any password entered there can be assumed leaked.
Thank you so much. If this is correct, then I can assume my Gmail/Apple and other main accounts are safe.
I wouldn't ever access them via clicking some links somewhere. I try to not even open emails that seem even a little bit scammy. The most recent one was ostensibly from a high security service provider and titled "Think before you click!", meant to look like they were helping me keep my account safe. It seemed fishy so I checked the sender address without opening and sure enough, instead of the usual donotreply@provider.com it was donotreply@email.provider.com
I was quite concerned that even an Apple account's password can be "easily" (as the article says) leaked without myself having made a mistake. Am I safe to assume this is not the case?
I hesitate to say "yes" because nobody can be 100% certain with malware, and even Apple has zero-click vulnerabilities (most recently Paragon). Apple devices seem to have good security, and I...
I hesitate to say "yes" because nobody can be 100% certain with malware, and even Apple has zero-click vulnerabilities (most recently Paragon). Apple devices seem to have good security, and I assume if a zero-click was used to mass-leak passwords (not just target specific journalists and activists like in the linked article), it would make more headlines everywhere and Apple themselves would send an alert telling (if not forcing) everyone to change their password ASAP. But I'm not in security so you probably need a more qualified opinion.
At minimum I recommend 2FA, preferably TOTP which is safer than SMS or email (I use Duo, except for Apple/Google/Microsoft which have their own 2FA). Then if someone does have your password they can't login without your phone.
Ultimately the answer is password rotation. Rotate all your passwords for your major accounts immediately (password manager, email, etc), then rotate all the others as quick as you reasonably can....
Ultimately the answer is password rotation. Rotate all your passwords for your major accounts immediately (password manager, email, etc), then rotate all the others as quick as you reasonably can.
Use a password manager. It doesn't matter too much which one, and if you are concerned about total loss, periodically export a plaintext version and archive that somewhere safe. I keep mine in two different password managers and a plaintext recovery for some major ones printed out and stored securely.
I hope you encrypt that plaintext recovery very well, or airgap it (print it and keep it somewhere extremely private and secure). Otherwise this is just like those people who write their password...
I hope you encrypt that plaintext recovery very well, or airgap it (print it and keep it somewhere extremely private and secure). Otherwise this is just like those people who write their password on a sticky note and keep it on their computer.
Yes but I didn't want to reveal details. :) At the end of the day, a good password on a post-it in your home is better than a bad password. Post it in a public place like work much less so.
Yes but I didn't want to reveal details. :)
At the end of the day, a good password on a post-it in your home is better than a bad password.
I just use the same password everywhere, except for my main email. Anything else that could potentially get hacked, like this account, I either a) don't care b) would be protected by 2FA And even...
I just use the same password everywhere, except for my main email. Anything else that could potentially get hacked, like this account, I either
a) don't care
b) would be protected by 2FA
And even if my main email were to get hacked, that has 2FA on it as well, but I still want to be a little more careful with that, since it could be used to reset my bank passwords.
This was my fear, and why I use the apple password app, I feel confident I'll be able to access my apple id, it's also biometrically secured. I can use the icloud app on my PC combined with an...
I've never tried one of those because I hate the idea that I don't know what my passwords are and it could become a massive hassle if I lost access to the generator.
This was my fear, and why I use the apple password app, I feel confident I'll be able to access my apple id, it's also biometrically secured. I can use the icloud app on my PC combined with an apple extension in vivaldi that will get my passwords from the password manager. But I also can go into the app and actually look at the password when i need to. It was a bit bumpy changing my process, but now it all works well and I've transitioned almost all my passwords to randomly generated passwords. The app will also tell you when an account has been compromised so you can go in and change it easily.
Take all Forbes "tech" articles with a massive grain of salt. They're often very poorly written and simply just get things wrong or have really weird takes. This one has a very AI-written, very...
Take all Forbes "tech" articles with a massive grain of salt. They're often very poorly written and simply just get things wrong or have really weird takes.
This one has a very AI-written, very typical "alarmism for clicks" kind of bait style to it. Only trust the substance of this if it is reported by more trusted tech outlets.
Otherwise these are not new breaches but possibly new collections/amalgamations of old breaches
I'm not super tech savvy and I only read the thing in a cursory way before posting because I thought everything I thought relatively safe, like an Apple account, in fact is not. Here's the belief...
I'm not super tech savvy and I only read the thing in a cursory way before posting because I thought everything I thought relatively safe, like an Apple account, in fact is not.
Here's the belief I held before seeing this article: If I don't tell anyone my password and I don't insert it anywhere besides the appropriate input field on the actual site with the real url, and I don't have it written down anywhere, or have a photo of it anywhere etc., then I can be fairly sure it is not going to be found in a data breach like this one? Is that correct?
If yes then I agree with @canekicker that I shouldn't have posted this article. I thought it had massive implications to many people but if it's just fear mongering, it shouldn't receive clicks from our direction.
That's generally pretty safe, but there is the possibility of your machine getting infected by malware or more often the website itself suffering a data beach.
That's generally pretty safe, but there is the possibility of your machine getting infected by malware or more often the website itself suffering a data beach.
How likely is it that Apple and Google accounts would get exposed that way? Not just one or the other but both in one go. Those are the more important ones I've considered fairly safe against hacking.
the website itself suffering a data beach.
How likely is it that Apple and Google accounts would get exposed that way? Not just one or the other but both in one go. Those are the more important ones I've considered fairly safe against hacking.
Pretty unlikely; they have among the most hardened security in the world and I don't think either of them have ever suffered a mass data breach. Credentials have been exposed, ofc, but only...
Pretty unlikely; they have among the most hardened security in the world and I don't think either of them have ever suffered a mass data breach. Credentials have been exposed, ofc, but only through user-facing phishing, malware, etc.
Generally, aside from malware/something on your own computer stealing multiple credentials (which is its own threat), that is correct, as long as that specific business you're logging into never...
Generally, aside from malware/something on your own computer stealing multiple credentials (which is its own threat), that is correct, as long as that specific business you're logging into never had its own specific new data breach.
The only time it would possibly still be in the big shared massive breach lists, assuming that it was never phished/etc, would be if that password/email was reused on another real/valid/legit site that happened to suffer its own breach. A lot of the reasons these big collections are shared is because so many people unfortunately reuse their passwords on multiple sites, that once someone's email/pw combo is breached in one place, that can be used to get into other accounts.
If no breach has been reported by company XYZ, AND you've never reused those exact combo of credentials on any other site, and somehow you still find they were in a big breach collection- that would be a sign that the company XYZ did not (or has not yet) reported the breach even though they had one, OR, some associated backend service/etc they use that deals with their login system was similarly compromised and not reported. This should be a rarity, but you never know, and it depends on the business/site/company in question and how compliant they are, etc.
Btw, I'm not criticizing your posting of the article here, just criticizing the article and Forbes themselves because this isn't the first time they've had iffy articles (and I wouldn't expect you to know that or expect you to be techy, so please don't take ANY of what I've posted as aimed at you!).
I'm not even necessarily saying that this article is completely bunk, but that, it's just not a source I would trust (and subsequent reading of the material confirms it just feels questionable). If there are indeed brand new data breaches and compromised accounts, other outlets should end up reporting on it eventually, and usually when a tech site (like Ars Technica, or a trustable non-hyping/short-selling security company, or otherwise) reports on it they're pretty good about giving the exact details and what to expect as a user (if there's a real danger or not, etc)
Checking some tech aggregators, I'm still a bit iffy on this whole thing. The only places I see it reported right now are two sites: Cybernews (who claims to have uncovered it, I think?) and some crypto/bitcoin/etc site, which gives me a bit of pause. It's on Slashdot, but only because an anonymous reader reported it from Cybernews... so no extra help there. Maybe in the next few days we'll get better sources.
Someone just used my icloud username, which I never use as an email, ti try to open an amazon.co.uk account (I live in us and have an amazon.com account under a different email). I immediately...
Someone just used my icloud username, which I never use as an email, ti try to open an amazon.co.uk account (I live in us and have an amazon.com account under a different email). I immediately changed my major passwords.
My security is thin, I nuse icloud passwords. I keep that icloud.com account in my mind, together with the passwords for my two coumputers, and everything else in passwords. It’s thin but they would have to both guess the password and gain access to my physical devices to compromise them under ordinary circumstances. Of course if for some reason I become a high value target I’d crumble per relevant xkcd (do I really have to link it?)
I wish there was a standard API to change your password. Then password managers could automatically rotate all passwords every 30 days. But we'll probably get universal passkey support before that...
I wish there was a standard API to change your password. Then password managers could automatically rotate all passwords every 30 days. But we'll probably get universal passkey support before that ever happens.
My guess (since they didn't say otherwise) is that these are salted password hashes. Which means getting one password doesn't give an attacker access to everywhere else you have used that password...
My guess (since they didn't say otherwise) is that these are salted password hashes. Which means getting one password doesn't give an attacker access to everywhere else you have used that password (unless they expend tremendous compute brute-forcing your password from the salted hash, something that would not scale for the data set.)
For perspective, the Have I Been Pwned service that has tracked data breaches since 2013 has "only" 15 billion accounts in its database.
edit: This article could really use a copyeditor; that, plus the somewhat vague (and ChatGPT-sounding) "researchers" mentioned in the "Cybernews" article it cites, makes me suspect this is largely collections of old breaches being puffed up for clicks. I'd wait for this story to be confirmed by HIBP or a more reliable source like Ars Technica or Wired before freaking out too much.
If by self posts you mean posting ones own article, I agree. At least they could have a dedicated group so people could unsubscribe.
This topic is meant to ask the question of what steps people would ideally take after a major breach of data is reported. If the moderators wish to remove the link, I'm okay with that as the article is admittedly of poor quality. Will removing the link remove the entire conversation though, as it's a link topic?
From the article:
Are you saying this could be misinfo? I was definitely going to complain about the journalist using ChatCPT to do his work but you beat me to it. I'm already completely sick of the "this is not just X, it's Y" etc.
Not misinfo, necessarily, just puffery. Sounds like an affiliate blogger slapping a sensationalist headline on AI-generated quotes about a bunch of existing (poorly-labeled) data dumps they found on Tor, or leaning on a freelance "researcher" who did the same. The lack of identifiable sourcing for the claims is a red flag, and the language ("This is not just a leak – it’s a blueprint for mass exploitation. [...] This is fresh, weaponizable intelligence at scale", not to mention all those em dashes) is pretty blatant ChatGPTese.
What threw me off, right after a quote from a Guccione:
That sounds like something a teenage human would say if they were trying to emulate what ChatGPT would say.
Well I guess I think/write like a teenager pretending to use Chat GPT? That sentence just reads as pretty typical copy to me, personally.
It's misleadingly worded. Essentially, the exact datasets as a whole have not been reported before, but the actual credentials inside it may have been covered before. They even mention that there are overlapping records within the 16b figure:
If they weren't able to compare the data within the datasets they found, they probably weren't able to compare the data with previous breaches. They also hint at this possibly being a compilation of old breaches in the opener:
To anyone panicking about this like I did: it's been brought to my attention that this is likely to be a phishing related breach, rather than the services (Apple, Google) themselves getting breached. So not quite as daunting as it seemed to me at first. Obviously, it's as important as ever to practice caution regarding your passwords.
Apparently there was another major breach in May that I didn't even know about.
I always feel out of my depth when this stuff happens and I'm hoping to gain some basic info this time. Can someone here help?
First question:
How can I figure out what data has been leaked? I have more than one Gmail account. How do I know which of those passwords are compromised? I also have Apple, Facebook and GitHub accounts and additionally the article says "various government services" were compromised but it doesn't give more detail, nor an understandable explanation how this even happened.
My password system is a mix of high security passwords + 2FA for very important stuff, long but memorisable passwords for normal important stuff that normally doesn't get leaked (but apparently now may have been) and low security passwords for services that don't have sensitive data. Those get leaked from time to time, which I find out by using a free service that accepts my email address and shows any known leaks where that address is included, and the service that was compromised. I then go and change that password. The highest security passwords have never been leaked to my knowledge and I absolutely must know if they were leaked now. I'm not in a rush due to the 2FA but still.
Second question:
Is it really completely awful to use passwords rather than some password generator? I've never tried one of those because I hate the idea that I don't know what my passwords are and it could become a massive hassle if I lost access to the generator. Also, I'd have to have it on my phone too, but in that scenario losing my phone would be incredibly crushing. I don't know if it would actually less safe, but I would be incredibly anxious if my phone went missing with a password generator on it that has access to every single shred of my existence. It's just too much weight on one device/system. Am I wrong?
Generally your password manager may inform you if it provides that. Outside of that, you can enter your email into sites like Have I Been Pwned and it will tell you what data leaks that the email has been a part of as well as what data was leaked in it. There's also a separate field to check passwords, but you should be hesitant of doing such things, even if someone recommends it, and doubly so if they link it. In Have I Been Pwned's case, it's not really helpful anyways; I believe it just gives a yes/no answer on the password.
That said, it's certainly going to take some time for them to parse this massive amount of data once they get their hands on it. It's literally more accounts than they already have records of. I would definitely recommend changing your passwords on any important accounts as soon as feasible rather wait to see if you part of it. (You likely don't need to rush, but the longer you wait, the more likely you are to forget about or decide it's not needed.) Criminals are going through the data at the same time and it's very possible they test your account before anyone can warn you.
Not really. A password generator will be more secure, but a sufficiently difficult password can be more than good enough. Even if you just choose 4 random words of the 1,000 most used words in the English language, and the would-be hackers know as such, that's about 1,000^4, or about one trillion potential combinations that they have to attempt.
In the end though, Multi-Factor Authentication is likely going to do more for your account security than any needlessly complicated password.
I don't use a password manager for anything but the lowest tier passwords. Is this silly? I guess my uneducated fear is that the manager could leak the passwords stored on it. For clarity, I use the manager(s) on my browser(s) and if there are other kinds, I am unaware of them.
Thank you. I'll just replace all passwords with "correcthorsebatterystaple" and I'm good! :)
More seriously speaking, I once saw some info that made it look like this comic got things all wrong, but I forgot where and what, other than that it may have been on Tildes. Let's hope the person shows up to explain!
Listening to the podcast Darknet Diaries will help your OpSec a lot. The two biggest suggestions are “don’t reuse passwords” and “don’t reuse email addresses” these both help ensure that when compromised, your other accounts won’t be.
Don't reuse email addresses? I'm pretty safe with my security practices, but that's a little too much effort for me.
Using unique email addresses everywhere is pretty easy, if your email provider offers unlimited addresses/aliases, and you use a password manager.
So if my personal domain is
thisismyemail.com, and my email provider lets me use an arbitrary amount of email addresses that are all synced to the same inbox...Then my email address (alias) for my Tildes account might be
tildes@thisismyemail.comand the address for Jimmy's Long Schlong Hot Dongs down the road might begiveittomejimmy@thisismyemail.com. Those are "separate" email addresses from a hacker's point of view, but with my email provider, I have configured them to both go to the same inbox. So to my perspective, they're the same address.With a password manager, you don't even have to follow a comprehensible scheme for naming each email address for each account you have. So my Tildes account's email address can be
ufedhf5753837hfhsd@thisismyemail.comand I don't have to remember that because my password manager handles it automatically.I think doing this is overkill, but also it's very cool that it's possible.
Is there any email service that will do that behind the scenes with common password managers?
Like, sure, I could look up the API documentation for both my password manager and my email provider and roll my own browser extension that does what you said. Of course, to be useful, it would also have to be cross platform.
Doable? Probably.
I don't want to do that.
1Password and Fastmail have an integration together. I can happily recommend either service separately, but they are great paired together. When you have to type in an email for a service, 1Password will offer to make a random email address, and save it to your vault. It automatically generates that within Fastmail. If the company sells your email and starts sending ads, you can very easily block just that email address. Fastmail by default will generate something at one of it’s domains, but you can also use your own domain. I have *@firstnamelastname.com go to my inbox. I also have a separate domain that is exclusively for these generated emails. So everything to @welda.xyz is blocked by default, but when Fastmail generates something like affluent-otter1869@welda.xyz, that specific address is allowed, with callouts for which website I originally generated it for. Very smooth service.
I do a form of this with gmail. My email is first.last@gmail.com and when I sign up for a service I use first.last+service@gmail.com
Not totally obscure like above, but it keeps them unique enough that they are less likely to be guessed. Plus a unique password on each site helps.
Sure, but that requires you to type it in. My password manager already generates random passwords per site, so if there is a way to also generate random emails I would love to hear it.
Does this work?
if spammers get a list of emails, they strip off the +blah — it’s only useful for your own automatic sorting, not for any sort of obfuscation or opsec
It helps keep hackers to only one account. If they get my Facebook email they can guess but not always my Whole Foods email. Just small help.
Sure spammers don’t care, but I don’t get spam these days.
if someone is trying to get into your shit, they're likely working from a list, though. A lot of people do this system and it works because they aren't targeted... and thats the only reason :)
Do what behind the scenes? Generate a "handle" for an email address automatically (meaning the part in front of the @)? I don't know of any password managers that can handle that. There are email alias services that generate addresses and then just forward them to some actual address you provide, and Bitwarden supports generating aliases from some of those services. That's the closest thing I know of.
With my email provider though, I don't need to set up an address before I use it (such as to register an online account), because any email sent to any address on my domain, that does not have a pre-configured inbox, is automatically sent to a catchall inbox instead.
So for me the utility of an email handle generator would be to save a dozen or two key presses, and I rather like my keyboard :)
It’s easier than you think with Gmail. If your email is first.last@gmail.com you can use a + symbol to add strings to the end of your email and therefore make a unique address for each site. Example: first.last+facebook@gmail.com
It’s a small layer of security to keep people from moving laterally through your accounts.
domain + catch-all + blacklisting a few easy addresses like hostmaster, admin, etc — i’ve been in this setup for a few years now. only company had a leak so i bps listed the old email and gave them company2@domain.com instead. ezpz.
i use zoho. it’s cheap and good.
Using a generated, unique password per service makes you more or less bulletproof. Your browser hangs on to that securely, in the past it was insecure, but now an attacker would need physical access to get anything meaningful.
I use and recommend BitWarden. It means I have to memorize one password, then everything else is secure (by using generated passwords, and even email addresses).
I just mentioned elsewhere but all lower case word based passwords are insecure, because of that comic.
A sentence with some upper case, some special symbols, and a brief random sequence will be uncrackable. MynAm3isquz67!kTildes is secure and you only have to rote memorize "quz67!k"
I actually disagree that a 4 word password is secure, 1 trillion hashes would take on the order of seconds to crack.
My template, which I find easy to memorize, is
W0wlook!tskuac7fqyTildes
Then, each service is unique, it's a sentence I can remember, and I only had to rote memorize "kuac7fqy".
I used to do something like that but use 1password these days. Now I have hundreds of unique 32 character passwords and one password I need to remember.
I'm on BitWarden and love it, they're totally security breach free since inception. LastPass is best avoided. Looks like 1password is good sans catching strays from an Okta breach (Jesus Christ...) can't remember why I picked BitWarden over it TBH
I used to do something like this. It all goes to hell when you’re required to change a password (expiration policy, breach, whatever). Now you have to remember if Tildes is the basic formula or a versioned one, and if versioned which number or modifications. And then remember that for every service, including the rarely used ones. Over the years, depending on your usage, it can become a nightmare.
I just chuck ! On the end, it is a pita though. I of course just use BitWarden, which I recommend.
Eh, that's kind of why I said "good enough" rather than using the word "secure"; a vast majority of people are not important enough that someone is going to burn resources to crack a specific password like that. They also need to know that you're using a four word password, which means you are actively sharing that information. (If you're sharing the methodology of your passwords, skip cracking the password, chances are you're easy prey for just phishing attempts.) Then for most people, your password is just login credentials for an online site, which is going to be rate limited.
But also, using a such password is both more and less secure than the one trillion combinations, but I didn't really feel like it was worth getting into. First, the would-be hackers don't know that you're using a four word combination password, this is generally the main thing to it; security through obscurity. Second, chances are you're probably using four words that make sense together, possibly that can form a sort of sentence, this would make it actually quite predictable and probably reduce it to the millions at best if someone knows your methodology. Third, most sites often have specific requirements on the passwords used, usually a number and a capital letter. Most people will just capitalize the first letter and throw a 1 on the end, but if you can deviate from that you can multiply the combinations by quite a bit.
If you use the best practices while still keeping it memorable, you'll mix up the numbers of words in your password maybe using 5 or 6 instead, capitalize the "most important" word instead of the first, replace a random letter with a number instead of sticking it on the end, use at least one more obscure word, throw your favorite random symbol into the mix that some sites may require anyways. And if you do all that, you increase the potential combinations astronomically, even if the would-be hacker knows your methodology.
Regardless, if you get hacked, it very likely isn't because your password wasn't secure enough. It's because your password got leaked in a data breach or you got hit by some social engineering and unwittingly gave out your password. Even in high value target scenarios, I do believe this is the case. I mean, the title is that 16 billion records were leaked. That's potentially 16 billion opportunities to steal from some random person that couldn't be bothered to change their password; why would you waste your time targeting one specific person who may or may not even leave you with any opportunities should you get into their account?
I like to do a combo of memorized and generated. For my most important and commonly used accounts, I use a method I’ve found that works well for me to come up with memorable passwords and for less important and infrequently used I go for the generator.
This might technically make me more vulnerable to attack if someone figures out my methodology, but with how some important some accounts are these days I can’t risk getting locked out of them. There’s plenty of circumstances in which those passwords might be needed but I can’t use my manager for some reason.
The main downside so far is that it makes changing those passwords more annoying since memorization always takes some time.
I also have a method for creating a strong, long password that I can remember reasonably well. In case I ever forget, the method involves a description of the password that I can write down because no one else will be able to understand the description.
The downsides are the same as yours: should someone figure out the system anyway, this will expose me, but first they would have to find out where the description is written. And making a new one takes reasonable effort which is why I wouldn't want to do it if the current one in fact has not been leaked.
The article says the passwords were leaked by infostealers, and most servers store passwords so they can't be leaked directly (hashed + salted), so they were probably obtained by phishing. In summary, if you only ever entered a password into the real site it's probably safe; however, it's very easy to unknowingly reach a fake login screen practically identical to the real one (the only difference being the URL), e.g. by clicking an official-looking email, and any password entered there would be leaked.
Besides using a password generator, I also recommend using an email service that gives you "masked" emails (I use Fastmail, Firefox and Apple also provide this). These are email addresses that forward everything to your main address, and Fastmail at least also forwards replies through the masked email; if a website is breached and the masked email you gave it gets flooded with spam, you can turn off that particular email and still receive email from other sites and your main address.
Thank you so much. If this is correct, then I can assume my Gmail/Apple and other main accounts are safe.
I wouldn't ever access them via clicking some links somewhere. I try to not even open emails that seem even a little bit scammy. The most recent one was ostensibly from a high security service provider and titled "Think before you click!", meant to look like they were helping me keep my account safe. It seemed fishy so I checked the sender address without opening and sure enough, instead of the usual donotreply@provider.com it was donotreply@email.provider.com
I was quite concerned that even an Apple account's password can be "easily" (as the article says) leaked without myself having made a mistake. Am I safe to assume this is not the case?
I hesitate to say "yes" because nobody can be 100% certain with malware, and even Apple has zero-click vulnerabilities (most recently Paragon). Apple devices seem to have good security, and I assume if a zero-click was used to mass-leak passwords (not just target specific journalists and activists like in the linked article), it would make more headlines everywhere and Apple themselves would send an alert telling (if not forcing) everyone to change their password ASAP. But I'm not in security so you probably need a more qualified opinion.
At minimum I recommend 2FA, preferably TOTP which is safer than SMS or email (I use Duo, except for Apple/Google/Microsoft which have their own 2FA). Then if someone does have your password they can't login without your phone.
Ultimately the answer is password rotation. Rotate all your passwords for your major accounts immediately (password manager, email, etc), then rotate all the others as quick as you reasonably can.
Use a password manager. It doesn't matter too much which one, and if you are concerned about total loss, periodically export a plaintext version and archive that somewhere safe. I keep mine in two different password managers and a plaintext recovery for some major ones printed out and stored securely.
I hope you encrypt that plaintext recovery very well, or airgap it (print it and keep it somewhere extremely private and secure). Otherwise this is just like those people who write their password on a sticky note and keep it on their computer.
Yes but I didn't want to reveal details. :)
At the end of the day, a good password on a post-it in your home is better than a bad password.
Post it in a public place like work much less so.
I just use the same password everywhere, except for my main email. Anything else that could potentially get hacked, like this account, I either
a) don't care
b) would be protected by 2FA
And even if my main email were to get hacked, that has 2FA on it as well, but I still want to be a little more careful with that, since it could be used to reset my bank passwords.
This was my fear, and why I use the apple password app, I feel confident I'll be able to access my apple id, it's also biometrically secured. I can use the icloud app on my PC combined with an apple extension in vivaldi that will get my passwords from the password manager. But I also can go into the app and actually look at the password when i need to. It was a bit bumpy changing my process, but now it all works well and I've transitioned almost all my passwords to randomly generated passwords. The app will also tell you when an account has been compromised so you can go in and change it easily.
Thank you. I guess could at least consider switching my low tier passwords into this system.
Take all Forbes "tech" articles with a massive grain of salt. They're often very poorly written and simply just get things wrong or have really weird takes.
This one has a very AI-written, very typical "alarmism for clicks" kind of bait style to it. Only trust the substance of this if it is reported by more trusted tech outlets.
Otherwise these are not new breaches but possibly new collections/amalgamations of old breaches
I'm not super tech savvy and I only read the thing in a cursory way before posting because I thought everything I thought relatively safe, like an Apple account, in fact is not.
Here's the belief I held before seeing this article: If I don't tell anyone my password and I don't insert it anywhere besides the appropriate input field on the actual site with the real url, and I don't have it written down anywhere, or have a photo of it anywhere etc., then I can be fairly sure it is not going to be found in a data breach like this one? Is that correct?
If yes then I agree with @canekicker that I shouldn't have posted this article. I thought it had massive implications to many people but if it's just fear mongering, it shouldn't receive clicks from our direction.
That's generally pretty safe, but there is the possibility of your machine getting infected by malware or more often the website itself suffering a data beach.
How likely is it that Apple and Google accounts would get exposed that way? Not just one or the other but both in one go. Those are the more important ones I've considered fairly safe against hacking.
Pretty unlikely; they have among the most hardened security in the world and I don't think either of them have ever suffered a mass data breach. Credentials have been exposed, ofc, but only through user-facing phishing, malware, etc.
Generally, aside from malware/something on your own computer stealing multiple credentials (which is its own threat), that is correct, as long as that specific business you're logging into never had its own specific new data breach.
The only time it would possibly still be in the big shared massive breach lists, assuming that it was never phished/etc, would be if that password/email was reused on another real/valid/legit site that happened to suffer its own breach. A lot of the reasons these big collections are shared is because so many people unfortunately reuse their passwords on multiple sites, that once someone's email/pw combo is breached in one place, that can be used to get into other accounts.
If no breach has been reported by company XYZ, AND you've never reused those exact combo of credentials on any other site, and somehow you still find they were in a big breach collection- that would be a sign that the company XYZ did not (or has not yet) reported the breach even though they had one, OR, some associated backend service/etc they use that deals with their login system was similarly compromised and not reported. This should be a rarity, but you never know, and it depends on the business/site/company in question and how compliant they are, etc.
Btw, I'm not criticizing your posting of the article here, just criticizing the article and Forbes themselves because this isn't the first time they've had iffy articles (and I wouldn't expect you to know that or expect you to be techy, so please don't take ANY of what I've posted as aimed at you!).
I'm not even necessarily saying that this article is completely bunk, but that, it's just not a source I would trust (and subsequent reading of the material confirms it just feels questionable). If there are indeed brand new data breaches and compromised accounts, other outlets should end up reporting on it eventually, and usually when a tech site (like Ars Technica, or a trustable non-hyping/short-selling security company, or otherwise) reports on it they're pretty good about giving the exact details and what to expect as a user (if there's a real danger or not, etc)
Checking some tech aggregators, I'm still a bit iffy on this whole thing. The only places I see it reported right now are two sites: Cybernews (who claims to have uncovered it, I think?) and some crypto/bitcoin/etc site, which gives me a bit of pause. It's on Slashdot, but only because an anonymous reader reported it from Cybernews... so no extra help there. Maybe in the next few days we'll get better sources.
Updated the link to the original Cybernews article, title to something less "alarmist".
Someone just used my icloud username, which I never use as an email, ti try to open an amazon.co.uk account (I live in us and have an amazon.com account under a different email). I immediately changed my major passwords.
My security is thin, I nuse icloud passwords. I keep that icloud.com account in my mind, together with the passwords for my two coumputers, and everything else in passwords. It’s thin but they would have to both guess the password and gain access to my physical devices to compromise them under ordinary circumstances. Of course if for some reason I become a high value target I’d crumble per relevant xkcd (do I really have to link it?)
The $5 wrench theory of security vulnerability I presume?
Just post it already! Some people have missed out, myself included.
https://xkcd.com/538/
I knew it would be worth it.
I wish there was a standard API to change your password. Then password managers could automatically rotate all passwords every 30 days. But we'll probably get universal passkey support before that ever happens.
My guess (since they didn't say otherwise) is that these are salted password hashes. Which means getting one password doesn't give an attacker access to everywhere else you have used that password (unless they expend tremendous compute brute-forcing your password from the salted hash, something that would not scale for the data set.)