
2,800 New Data Breaches with 80M Records Added - weinzierl
https://www.troyhunt.com/ive-just-added-2844-new-data-breaches-with-80m-records-to-have-i-been-pwned/
======
jacquesm
Just let that number sink in a bit. 80M/2844 = ~30K accounts / breach.

And still, just about every service that you _have_ to make use of (your HOA,
your insurance company, your government and so on) wants you to trust them
with your data secured by a userid and a password that they will administer on
infrastructure that they are most likely not competent to secure.

One of the best things to come out of the GDPR is the reporting requirements
for breaches. You can expect a lot more of these updates in the future.

Edit: interesting, the link now goes to
'[https://ghost.org/fail/'](https://ghost.org/fail/'), a 404, so go to
[https://www.troyhunt.com/](https://www.troyhunt.com/)

~~~
duxup
I worry we're approaching a situation where everyone just assumes their data
is out there, lethargy / ignorance of the users sets in stone, and as on the
whole we don't make any progress security wise.

~~~
ams6110
We're not approaching it. We're past it. Everyone's data being out there, that
is.

------
AdmiralAsshat
So my most-breached e-mail address (a hotmail address from 17 years ago that I
basically use for stuff I know will send me spam) has 3 or 4 newly-added
breaches.

    
    
      2,844 Separate Data Breaches (unverified): In February 
      2018, a massive collection of almost 3,000 alleged data 
      breaches was found online. Whilst some of the data had 
      previously been seen in Have I Been Pwned, 2,844 of the 
      files consisting of more than 80 million unique email 
      addresses had not previously been seen. Each file 
      contained both an email address and plain text password 
      and were consequently loaded as a single "unverified" 
      data breach.
    
      Compromised data: Email addresses, Passwords
    
    

The problem is I have no idea what this breach is sourced from, so I don't
know what account in particular was affected. Not Troy's fault, obviously, but
it's basically just telling me, "Your e-mail address and a password to
somewhere was found online somewhere." For all I know it's recycled data from
a breach I already know about.

At this point it's not really a big deal. I use a password manager and they're
all random at this point, so I just need to figure out which one to rotate.

~~~
tail-recursion
I wrote a little python script to match the websites with the Alexa Top 1
Million and sort by rank. I found 268 top 1 million sites in the pwned list.
You can check out the ranking here if you want [https://github.com/tail-
recursion/hibp-rankings/](https://github.com/tail-recursion/hibp-rankings/).
Notable websites include; lotro.com, mtgox.com, malwarebytes.org, daemon-
tools.cc, autohotkey.com, vbulletin.org

~~~
ryanlol
So, recycled old dumps all of them? Every single big site I can see here has
coincidentally already had their data publicly dumped.

------
vidarh
It's getting to the point where it feels like the site could just be replaced
by one of those joke sites where the answer is just a static string: Yes.

Hopefully at least it will push more people towards password managers and
avoiding password reuse.

------
binarymelon
This information isn't valuable in any way to affected users without an easy
way to verify. Obscuring that information doesn't protect the users, it only
possibly sends them to places on the web where they are at a higher risk for
some other security breach. This is just click bait.

~~~
raesene9
not sure why you say that. If you subscribe to HIBP, and your address turns up
in one of these breaches, you'll get a notification.

you can also search now for your addresses and see if you were affected.

~~~
e40
Problem is, the pastebin has been removed, so I don't know what account
associated with my email address has been compromised.

------
ChrisSD
I'm a little surprised he doesn't share actual password lists with at least
some other security researchers. I get there are legal issues involved but I
thought researchers had legal protections?

"Dark web" (lol) hackers are already going to be circulating the sources of
this list and in any case could probably crack sha-1 reasonably quickly. So if
you do a minimal amount of verifying the person who asks (e.g. ring their
university) you can surely help the good guys with little risk of misuse?

~~~
sugerman
He recently shared Pwned Passwords which lets you check if your password is in
the breached data.

1Password then did a POC integration into their service so you can test if
your password shows up in HIBP data.

[https://blog.agilebits.com/2018/02/22/finding-pwned-
password...](https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-
with-1password/)

~~~
ChrisSD
Right but that's not so useful for security researches. Analysis of the actual
passwords would be more useful.

~~~
petee
His reasons:

[https://www.troyhunt.com/no-i-cannot-share-data-breaches-
wit...](https://www.troyhunt.com/no-i-cannot-share-data-breaches-with-you/)

[https://www.troyhunt.com/here-are-all-the-reasons-i-dont-
mak...](https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-
passwords-available-via-have-i-been-pwned/)

~~~
ChrisSD
Indeed. I guess the best practical argument is sharing them securely is hard.
Which is very true. However if it's not possible for two security researchers
to exchange data then what hope is there for the rest of us?

I get he doesn't want to do that and that is his prerogative. However, it does
feel like we're so scared of things falling into the wrong hands that we
hobble our ability to defend against hacks in the first place.

~~~
petee
I would imagine if there are any security researchers he trusts sharing the
data with, they wouldn't need to email him out of the blue for it, nor need to
discuss it with the rest of us.

But no, there is likely no hope, lol

------
PuffinBlue
Like most of you (probably) I have more than one email address.

My host 'hacked' email address has been involved in 6 breaches.

Anyone beat that?

~~~
akerro
No way for me to verify it because I use different username on different
sites, and I have a self-hosted catch-all email server, I would have to
extract all my usernames or emails from KeePass and check each of them
separately... I'm too safe to even know I was hacked.

~~~
PuffinBlue
That might be even more interesting actually. Seeing as you could identify the
exact site that was breached. That sort of data would actually be quite
valuable to this project I would surmise.

I also have a similar system now as you do, but really only for higher value
accounts, not the niff naff forums stuff. And like you it's all randomly
generated unique passwords so pretty safe.

None of my site specific emails have been breached yet, which is good as that
would mean a major global provider had been breached.

~~~
icebraining
The project seems to know where the data comes from, at least in my case it
identified each:

    
    
        Email 	 	Pwned sites
        dropbox@... 	Dropbox
        ffshrine@... 	Final Fantasy Shrine
        github@... 	 	GeekedIn
        linkedin@... 	LinkedIn
        patreon@... 	Patreon
        tumblr@... 	 	tumblr
    

(The Github one was using their OAuth - which kinda screws with the
traceability)

------
ryantl
I ran the emails of a few of my family through the pwned API so that I could
tell them to change their passwords. I was surprised that almost everyone I
reached out to was surprised by their information being out there. My
interpretation was the general public is almost entirely unaware of the scope
of these breaches and what they need to do as a result.

It'd be cool if there was some way of gently sharing with your friends and
family whether or not they've been pwned -- maybe some kind of social network
plugin or web app that generates emails for you to send to them. A key
challenge would be being sensitive to their privacy, i.e., not coming off as
creepy.

------
tzs
Is there anything like this but for credit cards rather than
accounts/passwords?

------
jrimbault
JFYI: I've seen plex.tv.txt in the list.

line 713

~~~
ryanlol
Most likely just the old dump repackaged.

~~~
jrimbault
Yep. But I thought it better to say it.

------
zaarn
I received a notification earlier, though only regarding a dead email address
that I forward, it's probably some forum I signed up to ages ago and forgot
about.

I guess this is also a good time to remind the general population that
password managers are a thing and prevent such breaches from turning a "oh I
don't visit that website anymore" into "oh sh*t my bank account just went to
0"

------
vog
I applaud the dedication and effort that the author puts into HIBP.

One small suggestion, though: I wouldn't harm to ask somebody to proofread
public statements like this, especially since this is a highly trust-related
topic. The density of typos is annoying to me even though I'm not a native
speaker.

------
ocdtrekkie
One of the nice things about changing email addresses... every single
notification I've ever gotten from this site applies to my old addresses. A
couple years after switching, no breaches of my current credentials have
appeared yet.

------
purrcat259
Link currently 404s unfortunately. Navigating directly to troyhunt.com works
fine.

------
eganist
> I think that would be a much more interesting and useful way to spend two
> hours, rather than implementing _cute little algorithms_ inside an isolated
> environment like HackerRank.

Hiring manager here, one who doesn't use HackerRank either. I'm in agreement
with the premise, but I would likely decline an applicant unironically
employing the tone of writing emphasized above given the implications against
cooperation and teamwork.

"cute little" can be replaced with "case-specific" or "niche," maintaining the
same general meaning while divorcing it from adversarial connotations.

~~~
arianvanp
wrong post :')

------
HaBuDeSu
I'm sure most people here are already familiar with how to make unique and
strong passwords but for those who aren't:

[https://inspiredelearning.com/resource/create-strong-
passwor...](https://inspiredelearning.com/resource/create-strong-password/)

------
lsh
I don't recognise any of the hosts in that list. It's going to keep me awake
now wondering which one of them I had an account with that was leaked. Might
go find a torrent and do some spelunking ...

~~~
rocqua
Plex.tv.txt? (line 713)

------
nukeop
There should be a way to check entire domains, outside of known public email
providers. I use a different email address for every website I use and a
catch-all rule on my domain to redirect them all to a single email account. I
won't check them all simply because I don't even remember them all. I know
this could have the downside of being useful in email address enumeration
though.

~~~
dpcx
There actually is - use the Domain Search
([https://haveibeenpwned.com/DomainSearch](https://haveibeenpwned.com/DomainSearch))

~~~
nukeop
Thanks for this link, looks like all the emails in my domain are safe.

