Huge breach - 711million emails (and some passwords)

Forums › Desktop computing › Huge breach - 711million emails (and some passwords)

freitasm

BDFL - Memuneh
79257 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#222826 30-Aug-2017 11:52

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server.

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time.

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

kyhwana2

2566 posts

Uber Geek

#1855236 30-Aug-2017 12:43

Yet another reason to ensure you're using 2FA everywhere that supports it!

freitasm

BDFL - Memuneh
79257 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1855238 30-Aug-2017 12:48

I have a long list of 2FA credentials but not many services support this yet.

Rikkitic

Awrrr
18657 posts

Uber Geek

Lifetime subscriber

#1855243 30-Aug-2017 12:56

I don't have a cell phone. I don't need one and I don't want to have one. Is 2FA even possible without one? How would that work?

Plesse igmore amd axxept applogies in adbance fir anu typos

kyhwana2

2566 posts

Uber Geek

#1855246 30-Aug-2017 13:04

There are software and hardware tokens (Such as Yubikeys which do U2F). For TOTP software you can use something like Gauth https://chrome.google.com/webstore/detail/gauth-authenticator/ilgcnhelpchnceeipipijaljkblbcobl and enter the Secret manually..

Rikkitic

Awrrr
18657 posts

Uber Geek

Lifetime subscriber

#1855275 30-Aug-2017 13:42

OK, thanks. Would that also work for Geekzone?

Plesse igmore amd axxept applogies in adbance fir anu typos

kyhwana2

2566 posts

Uber Geek

#1855285 30-Aug-2017 14:05

Yep, geekzone uses the "TOTP" standard.

As with all things, make sure you keep a backup! (Of your password manager database and 2fa tokens. You can write down the TOTP "secret" on paper and store it in a safe etc)

dryburn

430 posts

Ultimate Geek

#1855287 30-Aug-2017 14:10

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Oblivian

7296 posts

Uber Geek

ID Verified

#1855290 30-Aug-2017 14:15

Could be related to the latest Locky outbreak.

Quadruple the spam gone out with it.

https://blog.fortinet.com/2017/08/17/locky-launches-a-more-massive-spam-campaign-with-new-lukitus-variant

surfisup1000

5288 posts

Uber Geek

#1855291 30-Aug-2017 14:16

freitasm:

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server.

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time.

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

Email as we know it today is quite broken.

Inphinity

2780 posts

Uber Geek

#1855300 30-Aug-2017 14:51

dryburn:

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

Yes, he maintains a DB based on leaked / breached lists of data and uses it to search against

kryptonjohn

2523 posts

Uber Geek

Lifetime subscriber

#1855303 30-Aug-2017 15:07

freitasm:

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server.

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time.

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

Two of my emails were found on Troys! But I now use LastPass to manage passwords, and I can check the dates that passwords were last change and confirm they were changed subsequent to the reported breaches.

Lastpass is fantastic - I really don't know how I managed without it. Actually I do know - I used to use the same passwords on dozens of different sites which is a no-no but the alternative is to write them down somewhere which is also a no-no. The other thing Lastpass does well is it's security check - it will tell you about sites that have weak passwords or passwords that are similar to passwords for other sites.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1855334 30-Aug-2017 15:42

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mdf

3513 posts

Uber Geek

Trusted

#1855338 30-Aug-2017 15:50

michaelmurfy:
@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

kyhwana2

2566 posts

Uber Geek

#1855377 30-Aug-2017 16:42

michaelmurfy:
@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

Authy requires a smartphone/mobile number (to auth for the app install etc) tho, and someone mentioned they don't have one..

freitasm

BDFL - Memuneh
79257 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1855393 30-Aug-2017 16:47

@mdf:

michaelmurfy:

kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

The problem with using LastPass authenticator is that you then have BOTH your password AND your second authentication factor in the same platform. If LastPass is compromised (or your LastPass account is compromised by phishing) then the Bad Guy (TM) has all the keys needed to access all your accounts.

Keep it separate.