
773M Password ‘Megabreach’ Is Years Old - rkrzr
https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/
======
ascar
Since a few weeks ago I receive spam emails threatening me with an old
password I no longer use. I wonder if it's related to this collection. It
starts with:

> _I am well aware [old password I think I swapped out everywhere, but
> definitely in all important places, when I started to use random keepass pws
> two years ago] is your pass words. Lets get straight to the point. None has
> compensated me to check about you. You don 't know me and you're most likely
> wondering why you are getting this e-mail?_

He continues to tell me my computer was hacked using that password, he
downloaded my contacts, recorded me watching porn and now threatens me to send
that video to all my contacts. Of course unless I send him bitcoins for about
$1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM

I got multiple of these emails in my spam folder since December. The password
comes most likely from the Heroes of Newerth leak back in 2014!

It's obviously a scam no one should respond to, but I'm sure there is a large
enough number of people that get intimidated enough and are actually buying
and sending bitcoins. This is a real threat these collections create. To be
honest I feel uneasy about this email though I'm 100% sure this password is
not used for anything important since about two years ago. I can't imagine how
someone with a current password and no security/compsci knowledge at all would
feel.

I unfortunately deleted all but the last of this emails, so I wonder if he
reuses the same bitcoin address and it can be easily blacklisted by
authorities. If he is smart he generates a different address for every single
email.

~~~
kyoob
The best defense, just in case one of these cases turns out to be legit, is to
send a video of myself watching porn to all my contacts preemptively. Take out
their leverage, you know?

~~~
ascar
Yea, a double video of you and what you are watching. Select the most
degenerate stuff you ever watched.

This would be a nightmare for basically anyone.

~~~
andai
This reminds me of the time I experimented with screen recording for self-
analysis and productivity. It sometimes captured things I didn't want on
video, but I forgot to turn off the recorder while I was deleting the footage.
So I ended up with footage of me trying to cover up embarrassing footage.

~~~
jen729w
Has anyone done this as part of a ‘presentation skills’ course? You record
yourself giving your talk and then you play it back _but sped up a little_.

Boy do those nervous ticks appear obvious at 2x. By the end you just want to
scream out to yourself “stop touching your ear!”.

~~~
jhalstead
This was a requirement in a Speech course I took during community college.
Each of my speeches was recorded while I gave it to the class. After each one,
I had to watch the recording and write a short paper that analyzed the
physical presentation that I gave including my ticks/mannerisms/etc.

Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation
day and [https://www.svcc.edu/employees/directory/pa-
fulfs/index.html](https://www.svcc.edu/employees/directory/pa-
fulfs/index.html) would swap them in/out for each speech. Good memories... :)

~~~
cbnotfromthere
VHS tapes in 2010-2011?????

------
Jordrok
I can't remember if it was haveibeenpwned.com or some other site, but I seem
to recall once a few years ago checking my email on a site which also showed
you the first two characters of the password which had been compromised. Maybe
it has since been discontinued because of security concerns, but I found it
really useful at the time because it let me know that the leaked password was
an old one that I hadn't used in years.

I know best practice is to immediately change your password regardless, but
with the increasing frequency of these kinds of breaches and the reuse and
recombination of old lists, how long will it be before emails from leak
notification sites like haveibeenpwned start becoming so frequent that people
start ignoring them? I am already more guilty of that than I'd like to admit,
even though I should know better.

I know there are various places you can check a given password against known
leak lists, but it makes me really uncomfortable typing my password into
anyplace which is not a password manager or the site it's used for - enough
that I want to change it afterwards anyway.

I already hear the arguments that none of this matters if you follow best
practices, which are not wrong, but I've always gone with the option which is
as secure as possible without being overly burdensome, and I'm sure I'm not
the only one.

~~~
atnurbel
haveibeenpwned has an api to check your password against their known list that
only requires to send the first 5 characters of the sha-1 hash:
[https://api.pwnedpasswords.com/range/5407a](https://api.pwnedpasswords.com/range/5407a).

You get a list of corresponding hash suffixes and check if yours is there.
[https://haveibeenpwned.com/api/v2/#SearchingPwnedPasswordsBy...](https://haveibeenpwned.com/api/v2/#SearchingPwnedPasswordsByRange)

~~~
fwip
That interactive javascript checker on their site also uses that API, so in
theory HIBP doesn't get sent a copy of your password.

A couple of weeks ago I spun up a little clone with slightly-simpler
javascript, just in case HIBP starts serving malicious javascript:
[https://safepasswordchecker.hashbase.io/](https://safepasswordchecker.hashbase.io/)

Feel free to download the site and javascript for a static copy. Or reuse or
modify and reshare as you like, as long as you're not malicious.

Edit: This site was made with Beaker Browser
([https://beakerbrowser.com](https://beakerbrowser.com)), which is rad, and
you should check it out. Feel free to download / fork this site.

------
yingw787
I was terrified of my old email being compromised because somebody tried
logging into it from Windows (I don't use Windows) and because I had an
identity theft scare a month back. What I'm doing going forward is having a
personal email acct I don't give out (with 2FA thru U2F), and creating burner
GMail accounts that forward emails to that email using POP3. I'm already pwned
because I use my personal email for a lot of things, but I like to think it
keeps my attack surface minimal.

~~~
ascar
Adding a bit of security on the identification side (usernames/emails) isn't
completely useless, but the focus should be on securing authentication. I.e.
never use a password twice and add 2FA to everything even vaguely important to
you.

With password managers that's also way easier than managing a lot of email
accounts.

~~~
yingw787
I use Bitwarden, password autogen, and 2FA to manage those too, though I'm not
fully migrated over yet (still have a lot of weak duplicate passwords). My
problem is the older services I have to use that don't support 2FA.

~~~
SpaethCo
In all honesty, it's probably not worth worrying about. The implementation of
2FA you're referring to here is just adding a 2nd secret, with a small twist
of having time component.

There are very few scenarios where your (high entropy) password would be
compromised in a way that wouldn't also lead to the discovery of at least 1
functional 2FA code.

1) Website is breached. If they can get the account password hashes, chances
are they're going to get the TOTP seeds as well.

2) You're phished. Your attacker passes through your credentials (scraping the
password along the way), and they get a functional session token. With most
services, you can turn off 2FA just by reconfirming the account password.

3) Your password manager is breached. 'nuff said.

The push behind 2FA isn't so much because high entropy passwords are
vulnerable (except in a phishing context, but there TOTP is equally
vulnerable) -- the momentum behind 2FA is because we can't convince people to
stop using '123456' as a password.

~~~
yingw787
I’ve been robbed six times, including once where one third of my money
disappeared. I agree with you that security is only as strong as its weakest
link. I just take emotional comfort in doing everything I can to make myself
more prickly and less vulnerable.

~~~
kerng
Thats scary. If you have been robbed six times, your operational security is
probably pretty weak. Unless you are some kind of high value asset.

Would be curious to learn more about how it happened, to see if there are any
learnings for myself to improve operational security.

------
willvarfar
So the seller shows a screenshot with browser tabs, a date and a time. One of
the tabs is really very specific, looking at a particular disqus profile.

I'm not familiar with Windows; is there anything in the screenshot to suggest
its torbrowser or anything like that?

Presumably the miscreant's ISP and e.g. the Russian government can guess real
easy whom generated that screenshot...?

Of course what they'd do with that info is anyone's guess. It could well not
be an offence to sell collections of passwords, if in deed its even an offence
to hack those passwords in the first place.

~~~
baseballMan
The screenshot has a tab open on this article:
[https://www.troyhunt.com/the-773-million-record-
collection-1...](https://www.troyhunt.com/the-773-million-record-
collection-1-data-reach/)

I don't think it's from the seller - looks like it was taken by the author of
this article.

~~~
invalidusernam3
It addresses that in the article: "...notice the open Web browser tab behind
his purloined password trove (which is apparently stored at Mega.nz): Troy
Hunt’s published research on this 773 million Collection #1"

~~~
excalibur
Sooo this is either a screenshot of Sanixer's machine or of someone who has
access to his entire trove. Clearly not the author's.

I see the mega.nz handle "Louren KINGUR" with avatar, and the same person's
Google account avatar with no username. I did an image search on this latter
one and came up empty handed, but maybe someone with more finesse could find
him this way.

------
dhruvrrp
In the first image with the telegram id the other id is for discord. I don't
recall discord being e2e encrypted so that is an interesting choice to offer.
Especially since discord is known to have access to all data since they
regularly remove chats/servers that don't follow their tos.

~~~
sbarre
The seller may be using a VPN to mitigate this.

~~~
ViViDboarder
Discord would still have the contents of the messages.

------
jammygit
This has been the event that has finally convinced my wife to use a password
manager. I'm torn between bitwarden and 1Password though. Anyone care to weigh
in on the options? My biggest concern with BitWarden is the lack of automated
testing

edit - just fyi, Bitwarden responded on github last month with a plan to add
some testing, and I _think_ some of their code does use automated testing.
They have issues on GitHub tracking it :)

~~~
jchw
Bitwarden is nice from a user perspective. I'm a former 1password user and
switched because I felt that things in the 1password world moved slowly, even
though it costs more than Bitwarden. Bitwarden being open source and audited
also helps a lot for trusting it, even if it isn't perfect.

1password has a rock solid UX that looks pretty. Bitwarden is more practical
imo. I prefer the latter these days. Guessing the 1password iOS app is
probably better than what Bitwarden offers, but I don't know, because I use an
Android phone, and I prefer Bitwarden on Android.

~~~
jammygit
I use bitwarden personally and I like it a lot. I was using Dashlane
previously and the ubuntu UX was awful (strictly browser extension, missing
features, etc).

I'm only nervous about Bitwarden because of the lack of automated testing.
Apparently at least one closed-source one apparently does not test either,
possibly <edit: my memory is too fuzzy to name anything> but please don't
quote me on that since my memory is fuzzy.

See my note above about Bitwarden adding tests though

------
ocdtrekkie
All of the breaches are, especially these compilation ones. I switched email
addresses back in 2016, and despite having accounts basically everywhere, my
newer account has never showed up in a breach. Even the email address I used
primarily for new accounts years before that hasn't shown up in any. Only my
original created-in-2006 Gmail account ends up in breach lists.

~~~
mipmap04
On the topic of old email addresses, make sure your old email provider doesn't
release your email address after so many years / months. This is a common way
to get access to accounts by creating a new email account with the same
address as an expired address and then using an email-based password reset to
gain access to the account. Happened to my wife with an old email address from
high school.

~~~
newscracker
This is really a big problem since one is forced to keep old addresses active
and around. But your email provider, even if it’s a paid service, may have
stupid policies to recycle addresses very soon and may not make exceptions for
you.

Posteo.de recycles deleted email addresses/aliases in three months. Fastmail
is also similar and recycles them within three months or so. Same goes for
Mailbox.org. All these paid services are pathetic in this regard.

Runbox.com (which I don’t use) is the only paid email service that clearly
states that it never ever recycles email addresses, just like Gmail and Yahoo
Mail don’t do either.

I’d like to know about privacy focused paid email services that have a clear
policy of not recycling addresses.

~~~
ocdtrekkie
Ideally if you're paying for email as it is, you should probably be in the
custom domain space. FastMail may be able to reuse my FastMail address, but my
FastMail address is tied to very little, since I use a custom domain, that
they can't keep.

Of course, as a reminder: This means you have to keep your custom domain, or
else someone can register it after it expires and make any emails they want on
it. But if you have a domain personal to you that you've used as part of your
email address, you should probably keep it forever anyways.

------
dmix
Anyone here recommend a good security key? Is YubiKey still the best option?

I noticed that they don't have any usb-c + NFC options.

~~~
svv
They do have NFC and usb-c options (separately, though), and are planning to
launch lightning as well

[https://www.yubico.com/2019/01/yubico-launches-the-
security-...](https://www.yubico.com/2019/01/yubico-launches-the-security-key-
nfc-and-a-private-preview-of-the-yubikey-for-lightning-at-ces-2019/)

~~~
dmix
Yes, I was looking for USB+C + NFC, so I can use it with my Macbook +
iPhone... having to buy two seems inconvenient.

~~~
tialaramex
Note that you will want to own at least two and enroll both of them to
properly lock down a service so that it doesn't need some plan B. The reason
is that obviously if it's locked down to a single U2F Security Key and that
key breaks or is lost you're screwed.

Google's programme aimed at high risk people (e.g. journalists covering
government corruption) specifically aims to leave you in a position where so
long as you have control over the physical devices your secrets are safe, and
if the devices are destroyed then your account is irrevocably lost and too
bad. Doing that with just one key is asking for trouble.

If you're just dipping your toe in the water, buying one key and having your
plan B be a bunch of one time codes written in the back of a diary in your
locked desk drawer makes sense, and if you're mostly just interested in the
cool technology and not worried about security then going to a Key with Google
Authenticator as plan B is fine too.

But if you want this to solve all your problems as advertised, buy two keys.

~~~
dmix
Thanks that’s good advice. Is the idea your token is synced across both
devices? Or you have two separate tokens that allow you to authenticate? I’ve
only set up a mobile based authenticator per account before...

~~~
tialaramex
Ordinary Security Keys can't be synchronised so to as to be interchangeable. A
good U2F/ WebAuthn implementation lets you enroll several of them and use any
each time you sign in. So yeah, separate tokens, any of them works.

It's pretty different from authenticator apps, it can be much more convenient
(no trying to quickly type in six digit numbers) but it's kinda expensive for
now.

Ordinary Security Keys only know how to do exactly one thing, prove that
they're still the same Security Key that they were the last time. They can't
even prove which one they are in particular (most can prove which model they
are, because a bank or something might be like "Ooh, we like this technology
but we insist you use Bank of America brand Keys..." but they don't even know
like a "serial number" or anything). This is deliberate - it allows the
strongest possible privacy guarantees while still delivering a useful security
function. The Firefox implementation lets you pick "No" when sites ask which
model it is - I always do, none of their bloody business, it's a Security Key,
eat it.

When you "enroll" a Key the site gets back a "cookie" (not an HTTP cookie)
that is only useful to identify that site to that Security Key; a Elliptic
Curve public key; and a signature proving the Key knows the corresponding
private key and was enrolling with this specific web site. The site puts those
somewhere (presumably a database table) ready to use them when you log in
subsequently.

When you need to log in, the site gets its list of all the keys you've
enrolled and says "OK, here are the cookies for some keys you enrolled, prove
you still have one". If you have one of these keys it can find its cookie
among the set, and it knows the private key that goes with that cookie, so it
can sign a new message saying "Hi, this is still me, signing in to $domain
right $now" and the site verifies that with the public key.

In principle the Security Key could be keeping a big database of every site it
has enrolled with and the cookies used versus private keys. In practice what
it does is make a random new private key each time it enrolls, encrypt the
private key and put the result in the cookie. Only it knows how to decrypt the
cookie, so there's no danger from this approach.

~~~
dmix
Thanks, I'm going to buy more than one for backup and use the multi-key
approach. Appreciate the long explanation. I've been meaning to set this up
for years.

This should be standard practice taught to kids in school! Especially
considering their whole life is digital now.

I saw that Linux's full disk encryption supports Yubikey as well as Gnome
login screens which is neat.

------
neogodless
For Troy Hunt's detailed breakdown of this particular breach:
[https://www.troyhunt.com/the-773-million-record-
collection-1...](https://www.troyhunt.com/the-773-million-record-
collection-1-data-reach/)

~~~
lern_too_spel
It just took a minute of searching to find the other collections. Does Troy
wait for people to send him specific files? [https://raidforums.com/Thread-
Collection-1-5-Zabagur-AntiPub...](https://raidforums.com/Thread-
Collection-1-5-Zabagur-AntiPublic-Latest-120GB-1TB-TOTAL-Leaked-Download)

~~~
WorldMaker
In a blog post some time back Troy mentioned that he will not pay for files on
principal, because he doesn't need to financially support black
hats/thieves/criminals and most of the "best" files themselves get stolen or
breached (because thieves will be thieves).

I think it is a reasonable position not to pay for these files, if the money
is just going to encourage the creation of more of them.

------
paulcole
Yeah, somebody signed into my Netflix account that I reactivated after years
and years of inactivity. It was the only site that was using a really old
password that's in this breach.

------
GCA10
Naive soul here, but is it really wise to type live passwords into someone's
site that ostensibly is looking for matches with its existing database? That
seems awfully trusting.

~~~
ploxiln
The reasoning given is: if you're aware it's a bad idea, great! Don't do it.
If you don't yet know it's a bad idea, and do it, you'll see how many places
it has already been leaked, and hopefully start using different passwords, and
a password manager ...

~~~
tqkxzugoaupvwqr
It trains average/non-IT people to enter their password on websites to
“check”. If scammers start setting up mock websites that ask you to enter your
password to see if your account was hacked, people will fall for it because
they have been trained by white-hats that this is an acceptable practice.

~~~
acct1771
You have to dig to get to this feature.

The consumer facing feature is entering your email address.

------
jmakov
Probably a good start to using 2FA and security keys.

~~~
FlorianRappl
I think having 2FA should be a feature of every page that provides a login
possibility.

~~~
gnulinux
There should be a login-as-a-service startup offering secure login tool that
is easily configurable.

------
some345
I think they are also trying to use the same credentials to log in to
accounts. I got an email from Epic Game saying there are too many failed login
attempts, so it was suspended. Ironically, I don't even remember having one.
So I logged into the account and made sure there none of the information on
there were personal.

~~~
aristophenes
Did you click on the link in the email to log in? That's another one to be
aware of, fake clone websites linked to fake emails purporting to be from the
company.

Always go directly to the site using your bookmarks or typing it in, or at
least remember to check the url before you click it.

~~~
some345
Actually, they only offered a link for enabling 2FA, And yea, I typed the
website in. I have a fake name on the account, and I don't have any payment
info on there since I'm not playing any of their games. Now I really have to
just think of a constant false name when registering accounts.

------
AdmiralAsshat
That would explain why HIBP told me my account was in the breach, but I
couldn't find a specific password within his Password Checker--the breach is
probably from before I switched to a password manager and rotated all of my
passwords.

------
onion2k
Thank goodness everyone changes their password regularly.

~~~
jerf
In all seriousness, the reason why this and several collections roughly as
large as it went for $45 on the market is precisely that it must not be that
useful anymore. If it truly were a skeleton key to the world it would not be
going for $45.

I'm abundantly positive there's still a lot of perfectly valid login
credentials in there, but the trick is finding them without also triggering
rate limiting detection now.

~~~
elorant
I'm not aware of the specifics of the dark market, but from a marketing
perspective selling something for cheap makes it easier to sell volume.
Perhaps the guy who did the hack didn't want to go into the trouble of finding
the one bidder who would give him top dollars, not to mention the dangers a
contact like that might include. It's easier to find 1k buyers for $45 than
one for $45k.

~~~
jerf
There isn't a "the guy" who did "the hack"; this is an aggregate compilation
of a series of low-quality elements that have mostly lost their market value.
It's the computer security equivalent of this:
[https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-
Dig...](https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-
Digital/dp/B01DL6PBMG/) 50 low-value movies for $11.99. Note the distinction
between "low value" and "no value". Yes, you might find something you like in
there, as some of the reviewers did, but the economic value of this stuff has
passed.

My point is that the market value has been lost because there actually is some
churn in passwords and accounts. If 99% of the credentials in this hack still
worked, it would not be getting sold at this price at all; it would be selling
something worth tens or hundreds of thousands, if not millions to the right
buyer, for You Pay Only $44.99. Not gonna happen. It can't be worth all that
much to most buyers if that's all they're selling it for.

Or it's just so widespread that it's worthless, although I'd suggest in that
case that we'd have heard about it earlier. Have I Been Pwned actually has
some hookups in that world.

~~~
bitwize
> It's the computer security equivalent of this:
> [https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-
> Dig...](https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-Dig..). 50
> low-value movies for $11.99. Note the distinction between "low value" and
> "no value". Yes, you might find something you like in there, as some of the
> reviewers did, but the economic value of this stuff has passed.

They should call it "Amazon Subprime".

------
kylek
Re-released as a scare tactic to get people to buy 1password? (I hate to sound
cynical, because really it's a great way to get people to look into password
managers if it was a marketing scheme)

------
JoeCoo7
My new years resolution is to change my passwords every year and not reuse
any.

Along with the traditional diet and exercise spiel that lasts a month, only 12
days left on most of my new years resolutions!

------
thisisweirdok
Yeah I knew this when I got the haveibeenpwned email about it. Just brushed it
off with a "oh, that password is making the rounds again." The password in
question was compromised something like 5+ years ago.

Having a 20 character password in a vault and 2FA is a great piece of mind
now. I don't even have to bother looking into it.

