
360 million newly stolen credentials on black market - Varcht
http://www.reuters.com/article/technologyNews/idUSBREA1O20S20140225
======
jfc
_He said he believes the credentials were stolen in breaches that have yet to
be publicly reported._

This really bugs me. It seems like many companies are either completely
unaware that a breach has occurred, or know about it and are taking their time
notifying customers (for PR or other purposes). Either way, customers are not
getting this information in a timely manner, and that needs to change.

~~~
mathattack
Almost by definition, if you're dumb enough to leave a hole in your security,
you're not dumb enough to realize when it's been broken. There are exceptions,
but unless you've been harmed by the action, it's hard to find someone if you
don't even know where to look.

~~~
niemeyer
> if you're dumb enough to leave a hole in your security

This is grossly underestimating how hard it is to have a bullet-proof system.
Some of the best security people in this planet use disconnected systems when
they want to be sure it is safe.

~~~
mathattack
Fair enough. Is it more accurate to say, "If you don't know where the hole in
your security is, it's hard to know if it's been compromised."?

------
welder
The "cybersecurity" firm says they are unsure what they can be used to access,
but that the usernames are email addresses. If they just look for emails with
an appended plus sign they can probably find out what service the account is
from. For example, john.doe+cloudservice@gmail.com [1]

Anyone have a copy of the dump?

[1] [http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-
get-m...](http://gmailblog.blogspot.com/2008/03/2-hidden-ways-to-get-more-
from-your.html)

~~~
malka
lots of websites do not consider the '+' character to be invalid for an email
(I do not have an example in my mind at the moment). Annoying as hell.

~~~
joshvm
Almost all websites allow it. The ones that don't are generally fairly
restrictive and probably just check is_alnum(). I use it all the time to
segregate incoming mail. I have 1Password and generate a random long password
for each account, so I'm not particularly concerned if one or multiple
accounts are breached. This means I have to trust 1Password of course, but
I'll risk it.

The problem for me is inconsistent support. For example, when validation
allows it, but the server-side strips the +. I recently booked a flight with
Monarch (UK super budget), email address:

example+monarch@gmail.com

This got stripped to examplemonarch@gmail.com which I'm sure doesn't exist for
my name. I couldn't change the email because.. surprise.. you need a
confirmation email to do it. Fortunately you only need the booking reference
and the address to check in, but it was a bit annoying.

------
rahimnathwani
_In addition to the 360 million credentials, the criminals are selling some
1.25 billion email addresses, which would be of interest to spammers_

I used Google Apps for my personal email, and I'm pretty happy with the spam
protection. (Although I don't check my spam folder for false positives, so who
knows?)

Anyway, can anyone who has switched from Gapps/Gmail to their own installation
of SpamAssassin comment on how that worked out for them, and how much time
they spend maintaining their setup?

~~~
mjn
> Although I don't check my spam folder for false positives, so who knows?

I've started doing this occasionally, and while false positives are rare, they
do happen and are sometimes pretty important! It's useful that it tells you
why mail is in the folder, though sometimes the explanations are more
informative than others. One funny one was that it trashed a mail because it
contained Danish text, a language it says I don't correspond in. I do indeed
not correspond in Danish, but I do live in Denmark, so getting Danish email
isn't so surprising, and usually is actually important (e.g. from the tax
authority). That one was interesting in that it seems to indicate they don't
tune the spam filter using all the personal profile data they have (Gmail
certainly knows I log in from a Danish IP).

~~~
skj
Email from Google recruiters went to my gmail spam. I had to whitelist
@google.com, which I thought was pretty silly.

I know it's a popular domain to spoof, but you'd think that at least with
@google.com they could do a quick validation step!

------
scrrr
It's sensible to assume that everything you ever put into the cloud can be
leaked at any moment. So act accordingly.

------
NamTaf
I'd like Hold Sec. to release a way to at least check if any of your details
are present in the trove they have, even if they don't know where the source
of the leak was.

~~~
rahimnathwani
A web form purporting to do that would be a great way to harvest email
addresses.

You could even add the ability to verify that a given email/password combo
does not appear in the list :)

~~~
judk
They could collect bcrypt hashes to verify instead of raw emails.

------
joshfraser
The post on the Hold Security site has a very different tone than the Reuters
piece. It reads more like a sales pitch than anything.

[http://www.holdsecurity.com/#!news2013/c13i1](http://www.holdsecurity.com/#!news2013/c13i1)

------
linux_devil
Is it just me who believes if you are online then your privacy is breached
already ? For e.g.: How can we trust Gmail or Facebook with our data either ,
where ads are displayed based on search done and cookie tracking . Even on
smart phones , who knows if they have voice samples for individuals based on
Google search , sometimes I think they know more about me than myself. And
single breach while accessing such services can cost us . I am over such
stories of accounts hacked and security breach.

~~~
ewoodrich
Just because Google has your data (because you created an account with them)
does not mean that you should be okay with every spammer and script kiddie
having it.

------
nly
It's quite clear at this stage having technological solutions to password
authentication simply isn't enough. We need to make it a criminally
prosecutable offence for services of a certain size not to use them. The
company that produced that 105 million record database, regardless of whether
this turns out to be infiltration by an outsider or an inside job, should be
sued for gross negligence.

Why can't we do this when the EU can pass useless cookie directives?

~~~
zxcdw
How do you enforce this and in which situations? I have a hunch that the
actual legal technicalities aren't trivial.

------
allochthon
> After recent payment-card data breaches, including one at U.S. retailer
> Target, credit card companies stressed that consumers bear little risk
> because they are refunded rapidly for fraud losses.

This is not exactly the case -- the amount needed to pay the fraud detection
services will surely be passed on to the credit card users in the form of
higher APRs.

These days I'm wondering how to go about changing my Internet to a new, secure
one, where there are no financial predators.

------
yeukhon
Does anyone know how much each credential would worth on average? I also
imagine they will filter out "possible celebrity" credentials for higher
bids/price.

------
einhverfr
Not to worry, I am sure they will be purchased with stolen bitcoins :-P

