Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsDesktop computingHuge breach - 711million emails (and some passwords)
freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41070

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#222826 30-Aug-2017 11:52
Send private message

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Create new topic
kyhwana2
2572 posts

Uber Geek
+1 received by user: 233


  #1855236 30-Aug-2017 12:43
Send private message

Yet another reason to ensure you're using 2FA everywhere that supports it!

 



freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41070

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1855238 30-Aug-2017 12:48
Send private message

I have a long list of 2FA credentials but not many services support this yet.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Rikkitic
Awrrr
19071 posts

Uber Geek
+1 received by user: 16318

Lifetime subscriber

  #1855243 30-Aug-2017 12:56
Send private message

I don't have a cell phone. I don't need one and I don't want to have one. Is 2FA even possible without one? How would that work?

 

 

 

 




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 



kyhwana2
2572 posts

Uber Geek
+1 received by user: 233


  #1855246 30-Aug-2017 13:04
Send private message

There are software and hardware tokens (Such as Yubikeys which do U2F). For TOTP software you can use something like Gauth https://chrome.google.com/webstore/detail/gauth-authenticator/ilgcnhelpchnceeipipijaljkblbcobl and enter the Secret manually..

 

Rikkitic
Awrrr
19071 posts

Uber Geek
+1 received by user: 16318

Lifetime subscriber

  #1855275 30-Aug-2017 13:42
Send private message

OK, thanks. Would that also work for Geekzone?

 

 




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 

kyhwana2
2572 posts

Uber Geek
+1 received by user: 233


  #1855285 30-Aug-2017 14:05
Send private message

Yep, geekzone uses the "TOTP" standard.

 

As with all things, make sure you keep a backup! (Of your password manager database and 2fa tokens. You can write down the TOTP "secret" on paper and store it in a safe etc)

 

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
dryburn
440 posts

Ultimate Geek
+1 received by user: 92


  #1855287 30-Aug-2017 14:10
Send private message

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

Oblivian
7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

  #1855290 30-Aug-2017 14:15
Send private message

Could be related to the latest Locky outbreak.

 

 

 

Quadruple the spam gone out with it. 

 

https://blog.fortinet.com/2017/08/17/locky-launches-a-more-massive-spam-campaign-with-new-lukitus-variant 

surfisup1000
5288 posts

Uber Geek
+1 received by user: 2159


  #1855291 30-Aug-2017 14:16
Send private message

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Email as we know it today is quite broken. 

 

 

Inphinity
2780 posts

Uber Geek
+1 received by user: 1184


  #1855300 30-Aug-2017 14:51
Send private message

dryburn:

 

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

 

 

Yes, he maintains a DB based on leaked / breached lists of data and uses it to search against

kryptonjohn
2523 posts

Uber Geek
+1 received by user: 953

Lifetime subscriber

  #1855303 30-Aug-2017 15:07
Send private message

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Two of my emails were found on Troys! But I now use LastPass to manage passwords, and I can check the dates that passwords were last change and confirm they were changed subsequent to the reported breaches.

 

Lastpass is fantastic - I really don't know how I managed without it. Actually I do know - I used to use the same passwords on dozens of different sites which is a no-no but the alternative is to write them down somewhere which is also a no-no. The other thing Lastpass does well is it's security check - it will tell you about sites that have weak passwords or passwords that are similar to passwords for other sites.

 

 

 

 

 

 

 

 

 

 

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1855334 30-Aug-2017 15:42
Send private message

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mdf

mdf
3566 posts

Uber Geek
+1 received by user: 1519

Trusted

  #1855338 30-Aug-2017 15:50
Send private message

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

kyhwana2
2572 posts

Uber Geek
+1 received by user: 233


  #1855377 30-Aug-2017 16:42
Send private message

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 

 

Authy requires a smartphone/mobile number (to auth for the app install etc) tho, and someone mentioned they don't have one..

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41070

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1855393 30-Aug-2017 16:47
Send private message

@mdf:

 

michaelmurfy:

 

kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

 

The problem with using LastPass authenticator is that you then have BOTH your password AND your second authentication factor in the same platform. If LastPass is compromised (or your LastPass account is compromised by phishing) then the Bad Guy (TM) has all the keys needed to access all your accounts.

 

Keep it separate.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright