
The 773M Record “Collection #1” Data Breach - shritesh
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
======
priansh
This is frankly terrifying and very ironic.

Websites put so much effort into tracking every little thing about their
users, from where they come from to what they do. Hotjar
([https://hotjar.com](https://hotjar.com)) goes ahead and tracks mouse
movements and now we even have crazy f-ed up startups like Peekmap
([https://peekmap.com](https://peekmap.com)) that claim to predict eye gaze
without the webcam.

And yet they get pwned so easily.

 __So much effort into violating user privacy, so little effort into enforcing
user security. __

~~~
markovbot
and receive no meaningful legal consequences. These people should be on the
hook for all damage done with this dump, but they won't be, so it doesn't
really matter. It's not ironic, it's just business as usual.

Collecting data on users should be _extremely_ risky, even if they consent to
it's collection.

~~~
AYBABTME
I think it's time for an external, trustworthy entity to spawn that would vet
and endorse companies that respect their users. Something like the "USDA
Organic" label but for user privacies. Maybe it'd be an EFF-like entity that
audits companies in exchange for a fee and endorse that "Company X, and the
product/services it uses, are respecting user privacy". We could then derive a
chain of trust between companies, maybe have a browser extension that tells
when we're using a website that is endorsed by such entity?

~~~
technion
I've gone back and forth on this. The very likely outcome of such a thing in
practice is another PCI-like process. We both know an "EFF-like" organisation
selected by a Government will one of the big accounting firms or similar in
practice.

Particularly once there's a certification fee, it quickly becomes a racket,
where people with strong ethics and skills get pushed aside by someone who
paid a fortune to sit a course. Language lawyers will find ways to sign off on
major issues, and some largely irrelevant thing ends up becoming the majority
of the process.

~~~
heyjudy
You're catastrophizing by jumping to a negative outcome, similar to a
cognitive distortion. It doesn't have to become a racket; that is a leadership
choice. Individual identity issuing, public key certifying authority, banking,
news, healthcare, truth-worthiness and many more areas would all be served
best by _non-profits_ that are funded by a combination of grants, _modest_
fees and/or donations. There are some human activities that are too important
to be privatized, like the fire department and the NTSB... whether the
government should or shouldn't be responsible for running X is a topic for
another time.

------
zaroth
Troy won’t store the passwords associated with the username, which is a choice
I can absolutely respect.

But as he discusses in the post, that leaves users knowing that their email
address was in the data dump, but with no way of knowing which site it came
from, or what password was breached.

So while this increases the number of records in HIBP, and perhaps makes the
password popularity tracker a bit more comprehensive, it still leaves users
exposed.

I know which password of yours was breached, and that information is now
effectively public, but you probably don’t know where to find it yourself, and
I won’t tell you which one it was. So I guess just assume all your passwords
are cracked and use a password manager.

I don’t really hold it against Troy, because again, I respect his decision not
to store plains directly associated with usernames. He did as much as he was
willing to with the data, and it’s better than nothing, but not great all the
same.

~~~
AdmiralAsshat
The slightly annoying thing here is that I _already_ use a password manager,
so while the impact to me is minimal, I wish I knew which password
specifically I have to rotate, instead of assuming that I need to rotate,
like, all of them...

~~~
jarfil
What we may need is the next step: a standardized way of changing passwords
that would allow us to rotate them in bulk directly from the password manager.

~~~
Rychard
You might be interested in this, from just over a month ago:

[https://news.ycombinator.com/item?id=18618193](https://news.ycombinator.com/item?id=18618193)

------
Darkstryder
Reading this tweet (
[https://twitter.com/troyhunt/status/1085095504197779456](https://twitter.com/troyhunt/status/1085095504197779456)
), I've just donated the price of a coffee to Troy (
[https://haveibeenpwned.com/Donate](https://haveibeenpwned.com/Donate) ), and
you should too.

HIBP is quickly becoming a critical piece of the Internet security
infrastructure, and Troy should be lauded for undertaking it basically by
himself.

~~~
spacemanmatt
I like the service. I just donated, too.

------
twic
> Collection #1 is a set of email addresses and passwords totalling
> 2,692,818,238 rows. It's made up of many different individual data breaches
> from literally thousands of different sources. (And yes, fellow techies,
> that's a sizeable amount more than a 32-bit integer can hold.)

I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long
as it's unsigned.

From the tweet, it seems like SQL Server puts the result of a COUNT into a
signed 32-bit integer, which really surprises me.

[1] I lied, i love being that guy.

------
stevekemp
I got a notification today that my domain has been included in this
collection.

But as far as I can see it is gibberish spam-mails. I see 500+ entries such
as:

    
    
       fkdsjlfjldsf@example.com
       spamkdsjf31@example.com
       fsdjlfsdjkl@example.com
    

i.e. None of these emails at my domain are real, nor have they ever been real.

That said if you allow password-based authentication on a server which is
shared you might consider using my PAM module:

[https://github.com/skx/pam_pwnd](https://github.com/skx/pam_pwnd)

It does lookups of previously-leaked passwords. Best practice these days is
SSH-keys for authentication, but this would cover weak sudo passwords too,
etc.

------
mxscho
Someone from a well-known leak forum is claiming that the "Collection #1"
discovered by Troy Hunt is only part #1 of all available collections (there
are at least 5, and additional other dumps). He also posted a screenshot of
the original sales thread of the owner. The dumps together seem to have a
total size of almost 1TB.

Not sure whether it's cool to post any links here.

------
Fudgel
If you're using keepass, there are some plugins to check against HIBP:
[https://keepass.info/plugins.html](https://keepass.info/plugins.html)

I'm gonna download the passwords offline and try this plugin:
[https://github.com/mihaifm/HIBPOfflineCheck](https://github.com/mihaifm/HIBPOfflineCheck)

(you can grab the offline passwords from here:
[https://haveibeenpwned.com/Passwords](https://haveibeenpwned.com/Passwords) )

------
shmageggy
What's the latest consensus on the best password manager these days. I see he
is recommending 1Password, but I recently found Bitwarden which looks quite
good.

~~~
amanzi
Bitwarden ([https://bitwarden.com/](https://bitwarden.com/)) is great and
scores well in feature comparisons -- there was one on here recently. It's
open source and has recently been audited too. It's free for the basic
service, and really cheap for additional features. Great mobile apps and a web
vault. And you can self-host. No bad points really.

~~~
sjun
The things that held me back from Bitwarden is the relatively short age of the
company at 2~ years and the fact that there is only one dev. I'm reaching
here. But even though the code is open source, he still owns the distribution.
He can potentially be compromised (whether maliciously or not) and release an
update that uploads the entire vault to him unencrypted. It could take a while
before the internet caught on that the source code doesn't match the release
build.

This of course could happen in a company like 1Password and there is at some
point that I need to make the call and trust the person(s) coding the password
manager. I feel that with 1Password there's at least the large size of the
company which would mean more eyeballs and accountability. There is also the
history of the company at 12~ years. This includes vetting and buy in from
larger companies, which inspires a vote of confidence.

FWIW Bitwarden checks off nearly all the other boxes for me and I think the
single dev has done a seriously bang up job.

~~~
amanzi
All valid points. I guess nothing is perfect and you just need to decide where
you're happy to compromise.

------
weinzierl
There is the rumor that it is called _Collection #1_ because it was part of a
larger dump consisting of _Collection #1_ , _Collection #2_ , etc. There is
also the rumor that the whole set was sold for - now hold on tight - the
ginormous sum of $45.

------
randomthought12
My email/pw is in there but there is easy way to know from which website so I
don't know which password I have to change.

All my passwords are randomly generated so they are different for all
websites.

------
csbartus
so strange ...

i’ve checked again if i was pwned and on the top there is a service i’ve never
signed up - Apollo, a sales acceleration platform

i’m a simple dev and never subscribed to a sales service ....

~~~
ask2sk
I got the same. Anyone here know what is Apollo?

~~~
LaurentS
Same here. I had never heard of them. Turns out they're a YC'15 startup
([https://www.apollo.io/company/](https://www.apollo.io/company/)). There are
no passwords in the data they lost according to HIBP. They seem to collect
personal data from various sources and help other companies increase sales.

~~~
nabnob
So not only do we have to worry about websites we actually use being
compromised, but we also have to worry about these sketchy third-party
companies that have purchased our data being hacked.

------
ksec
Let say my email appeared on Pwned list. And given most ( at least I think
most ) people have zillions of web forums, services, sites, services using the
email address.

What should you do now? I mean editing and changing password in everyone of
them seems like a daunting task. And many of those services I no longer use
anyway.

I am thinking of completely giving up the identity and start over, which seems
easier. Or any other thoughts and comments?

Edit: I will definitely pay Apple a monthly fee if there is some simple and
easy way to have online identity using email along with FaceID or Touch ID as
2FA. Getting rid of password while increasing security is something that
should have happened but has yet to happened.

~~~
pps43
Just use a different e-mail and password for each web site.

------
aequitas
Got a few 'hacker' emails on one of my throwaway addresses on this list the
last few days. That account was leaked before in another list so this was not
worrisome as I get those all the time for this address.

What did strike me as odd this time is that they did not end op in my spam
folder but in my inbox. I'm using Gmail which normally for me has a very good
spam/phishing detection. Somehow these mails came through though? Maybe its
just an instance and Google was late to catch up with the cat/mouse game on
this attack. Or these phishers are getting more sophisticated?

~~~
ahje
Gmail, and other large providers, use filters that adapt based on user input.
If you report the messages as spam then the filter will learn, and hopefully
catch them the next time.

------
markovbot
Anyone got a link to the actual data?

~~~
arthurfm
There's a .torrent of Collection #1 available here:

[http://www.mediafire.com/file/mluhkk4dpqi8vfm/Collection_1.t...](http://www.mediafire.com/file/mluhkk4dpqi8vfm/Collection_1.torrent/file)

I found the link via a comment on /r/pwned [1]. I think it originally came
from RaidForums [2].

[1]
[https://www.reddit.com/r/pwned/comments/agsjie/troy_hunt_the...](https://www.reddit.com/r/pwned/comments/agsjie/troy_hunt_the_773_million_record_collection_1/eeb0xix)

[2] [https://raidforums.com/Thread-Collection-1-5-Zabagur-
AntiPub...](https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPublic-
Latest-120GB-1TB-TOTAL-Leaked-Download)

------
darekkay
_Oh, it must be Tuesday._ I've just updated my blog post[0] with some password
best practices and it's amazing how little has changed in the last 4 years.

[0] [https://darekkay.com/blog/another-password-leak-oh-must-
tues...](https://darekkay.com/blog/another-password-leak-oh-must-tuesday/)

------
mpeg
Funny, I downloaded about 700GB of password dumps last week trying to figure
out how someone got one of my passwords (no big deal, they never managed to
access anything)

Maybe it was this one.

------
chkas
HIBP doesn't protect the privacy of searched passwords!

Showing 20 bits of the password hash narrows down the possible passwords to
one millionth. You should check it locally by downloading the password hash
list.

------
hnuser1234
Here's one more record to add: my HN password is my username. Feel free to use
this account for anonymous well-intentioned posting.

~~~
eitland
Heh, plausible deniability

... but with a non-trivial risk of someone else locking you out from your own
account.

