Saturday, 23 February, 2019

773 million unique email IDs leaked: Web Security Researcher

Image Source KrebsOnSecurity Image Source KrebsOnSecurity
Sherri Watson | 18 January, 2019, 20:02

Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever-a list that includes nearly 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.

In addition to 772 million email addresses, almost 22 million unique passwords were dumped in plain text online.

Hunt stressed that verifying the veracity of the data in any kind breach is "non-trivial". The sheer size of this breach of information eclipses that of any other single incident - and the chances that your email isn't amongst the leaked is small.

Hunt tells Wired.com that it's hard to see where the info originated from - but it could have come from more than two-thousand leaked databases. Wired.com reported that this is "the largest breach to become public". The database contains a total of 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses and 21,222,975 unique passwords.

Gizmodo reports security researcher Troy Hunt, who runs the website "Have I Been Pwned", said the large file contains 12,000 separate filesand 87GB with of data. If it shows "Good news - no pwnage found!" you're good. The massive spike in failed logins, then the access into someone else's account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. As Hunt wryly suggested, Pwned Passwords is a great resource for learning just how unwise it is to use a password like "P@ssword" for any online account. Some of the email addresses were linked to more than one password, and most of the passwords were either still "hashed" or were linked to more than one email address. But he wonders if the organizations or affected users even know that a breach took place. If it has, you should probably change your password right away. If your oh-so-secure password does pop up, you're likely at a greater risk of it being exposed.

What's more, Have I Been Pwned has a searchable database of compromised passwords that users of Hunt's site can use to see if their passwords have been compromised in a breach.

Well, first up, go to Have I Been Pwned and check your email there to find out if you've been compromised. You enter a password and the site tells you if it's appeared in any breaches.

Hunt built this site over 18 months ago to help people check whether or not the password they'd like to use was on a list of known breached passwords.