Hacker News new | more | comments | ask | show | jobs | submit login
The 773M Record “Collection #1” Data Breach (troyhunt.com)
325 points by shritesh 37 days ago | hide | past | web | favorite | 120 comments

This is frankly terrifying and very ironic.

Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.

And yet they get pwned so easily.

So much effort into violating user privacy, so little effort into enforcing user security.

I think you should have disclosed that you are part of Peekmap's team: https://angel.co/peekmap/jobs

This post looks almost like an ad. I hope, then, you are putting effort into "enforcing user security".

>> “and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.”

Emphasis on ‘claim’. Considering he built this product, it would insinuate they don’t actually have this capability and are instead selling lies, pipe dreams and bullshit.

Holy cow good catch.

This is very weird.....

EDIT: Nice to see their open development position is an unpaid internship.

wow what odd way to promote his startup. super disingenuous. I hope know one ends up applying there after seeing this.

and receive no meaningful legal consequences. These people should be on the hook for all damage done with this dump, but they won't be, so it doesn't really matter. It's not ironic, it's just business as usual.

Collecting data on users should be extremely risky, even if they consent to it's collection.

I think it's time for an external, trustworthy entity to spawn that would vet and endorse companies that respect their users. Something like the "USDA Organic" label but for user privacies. Maybe it'd be an EFF-like entity that audits companies in exchange for a fee and endorse that "Company X, and the product/services it uses, are respecting user privacy". We could then derive a chain of trust between companies, maybe have a browser extension that tells when we're using a website that is endorsed by such entity?

I've gone back and forth on this. The very likely outcome of such a thing in practice is another PCI-like process. We both know an "EFF-like" organisation selected by a Government will one of the big accounting firms or similar in practice.

Particularly once there's a certification fee, it quickly becomes a racket, where people with strong ethics and skills get pushed aside by someone who paid a fortune to sit a course. Language lawyers will find ways to sign off on major issues, and some largely irrelevant thing ends up becoming the majority of the process.

You're catastrophizing by jumping to a negative outcome, similar to a cognitive distortion. It doesn't have to become a racket; that is a leadership choice. Individual identity issuing, public key certifying authority, banking, news, healthcare, truth-worthiness and many more areas would all be served best by non-profits that are funded by a combination of grants, modest fees and/or donations. There are some human activities that are too important to be privatized, like the fire department and the NTSB... whether the government should or shouldn't be responsible for running X is a topic for another time.

Standards could help too.

I recently started setting up a phpBB forum for a personal project. Because I wanted to respect people's privacy as much as possible, I removed certain fields like the birthday so that they can't be entered. I disabled private messages to avoid keeping unneeded nominally private data. To contact a specific user, I allowed only emails sent via a form to prevent leaking a user's email address. And I installed an extension to allow users to delete their accounts. I was pleasantly surprised with how easy disabling birthdays and other profile fields were, but somewhat disappointed that allowing users to delete their own accounts wasn't built in yet. Would be nice for forum softwares to have a standard set of features and default behaviors that respect privacy. I doubt many people change the configuration settings I did. (If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.)

I don't see why a forum should have a birthday field in particular. If COPPA compliance is a concern, just ask if the user is 13 or older at registration.

> If you have any other ideas for forum admins to make their forum respect privacy better, I'm interested.

Tell the software vendor! They need to supply sane and private defaults, so that every admin who deploys an instance benefits automatically.

You could drive home the point by saying that if you were to run the software in the EU, it becomes a ticking time bomb and is an invitation for getting a forum admin into obnoxious manual cleaning work at best, legal trouble at worst.

Or you could follow the EU example and make it mandatory with national agencies empowered to levy fines?

The history of "web page endorsements" is pretty lousy. The only one that really stuck was SSL enhanced verification, and all that does is tie a cert to a business entity.

Have you ever implemented a standard before? The process is usually a bureaucratic joke. There will always be auditors that will certify you for essentially just paying them. This is not only a privacy problem, it’s also a security problem. ISO 27001 and other standards have been around for a long time, and getting certified has always meant little, and companies still get breached. ISO are working on a privacy standard right now, and when that’s finalized, I guarantee you that consumers are going to take no interest in it, and that people will still be tracked and companies will still be breached. The system you’re describing would only ever be noticed by a very small subset of privacy conscious and educated users, and even then it would likely achieve nothing.

>...and receive no meaningful legal consequences.

This, to me, is the most pivotal part. Data was stolen in relation to you? Too bad, so sad.

>Collecting data on users should be extremely risky, even if they consent to it's collection.

The problem is that it's been so normalised that it's become pedestrian. It's the new norm and no longer risky because "everyone's doing it".

Correct, which is why we need laws and regulations that make it risky by shifting the cost of losing the data to those who collected and lost it in the first place, instead of those whose data were collected.

Exactly. It’s a matter of incentives. Without laws with teeth (IE, both consequences and enforcement), this will never change.

We are getting there, thanks to the EU. The GDPR directive has teeth, and it /will/ affect all larger US companies as well.

Fines of up to 4% of yearly revenue area no joke: https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the...

Have there been any notable cases of actual enforcement GDPR enforcement yet?

Only small fry. Knuddels, a German chat platform, was fined for a data breach and storing passwords unencrypted.

But data protection institutions are warming up for taking Facebook to task: https://www.cnbc.com/2018/10/04/facebook-data-breach-top-eu-... - the 1.6bn is way over the top since FB informed customers in time, but still this will be a lighthouse case.

How does Peekmap work? Their website contains no details.

I just can't imagine how you can reliably track a users eye gaze without a webcam - is it just some snake oil pretending to solve everything with AI?

It could be ML prediction based on scrolling + mouse movements or just old-school code which finds the closest and brightest div next to mouse coordinates. Maybe it's slightly more useful than plain mouse heat map which all competitors use, even if it's a crude approximation.

I assume they ran experiments with test subjects navigating websites with both eye and mouse movement tracking, and then trained a model to predict eye tracking from the mouse movement.

Wouldn't they have to train someone using your web site though. So I wonder what happens if you change your site.

I don't know if there is an actual working product though, their Twitter is only 16 hours old.

You should provide the map on the homepage in real-time, otherwise I won't believe it

"crazy f-ed up startups like Peekmap".

Sounds synonomous with "scum bag" to me, priansch.

Troy won’t store the passwords associated with the username, which is a choice I can absolutely respect.

But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.

So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.

I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.

I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.

He has the "Pwned Password" search to allow you to narrow it down and he has a really good article that he links to explaining why despite its inconvenience.

If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.

At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.

Too risky.

I am not sure you should put too much confidence in the "pwned password" search.

I know one of the weak password I stupidly reuse everywhere was compromised since I had someone buy something with my paypal account. But it comes up as clean in the password search. So it was probably cracked from one of the leaked hashes but the plain text was never entered into the public dumps.

Well one can't prove a negative, that is that your password _hasn't_ been leaked.

Knowing that - for sure - a password has appeared in a breach is very useful.

It would be impossible for the site to have every password ever compromised.

It can only check against a database of known password leaks.

There wouldn't be any inconvenience if your password manager did its job of helping you manage your passwords. 1Password has implemented a feature that helps you easily check all your passwords, I'm honestly surprised it's taking so long for the others to do too. The data is there, there's a super easy API, it doesn't take that much effort...

Enpass has such a feature too. I just had it check all my passwords in the light of this new breach.

You can search by password here: https://haveibeenpwned.com/Passwords

If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.

For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".


Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.

I wrote a Ruby script to check passwords back when the Pwned Passwords V2 API was introduced. I've added a second script to check a bulk list of passwords in a plain-text file.


Troy Hunt explained how to find out if your password is pwned using the API in a comment [0]:

You need to look at the request being generated. Here's how to do it:

1) The SHA-1 of P@ssw0rd is 21BD12DC183F740EE76F27B78EB39C8AD972A757: https://passwordsgenerator.net/sha1-hash-generator/

2) Pass the first 5 chars to the API here: https://api.pwnedpasswords.com/range/21BD1

3) Find the suffix in the response and it has the count next to it: 2DC183F740EE76F27B78EB39C8AD972A757:51259

[0]: https://www.troyhunt.com/the-773-million-record-collection-1...

Weird, I don't see any entries for password or password1 in there.

I get this when I try 'password':

Oh no — pwned! This password has been seen 3,645,804 times before

I assume he was sending in the SHA-1s. And yeah, it looks like he (Troy Hunt / site operator) disabled the direct search by SHA-1 now that he's enabled the k-anonymity API. Was able to edit and update my original post to reflect this.

The slightly annoying thing here is that I already use a password manager, so while the impact to me is minimal, I wish I knew which password specifically I have to rotate, instead of assuming that I need to rotate, like, all of them...

I'm not sure if you're a 1Password user (or whether your alternative supports similar functionality) but the former has a feature called Watchtower which then groups your compromised logins.

What we may need is the next step: a standardized way of changing passwords that would allow us to rotate them in bulk directly from the password manager.

You might be interested in this, from just over a month ago:


(Not affiliated with, just a happy user of) 1Password does a pretty good job at this, you can find all HIBP-passwords in a single location: https://support.1password.com/watchtower/

Why not use Pwned Passwords to check your passwords to see if any of them need to be rotated due to this breach or any other?

Seems really weird to advocate people reveal their passwords to a random untrusted 3rd party.

They do have an API that allows you to search for your password based on a truncated checksum, so you can find out if your password was leaked, without revealing the password.

The password itself is not sent. You can read about it here:


He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Which does upload your password, which I think is an unacceptable risk.

Well it claims to take the first 5 characters of the SHA of the plaintext.

But it also pulls untrusted code/CSS from various sites over HTTP. It's far from unclear who controls that code.

For instance this wall of code: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

A more sane approach would be to just put your passwords in a file, maybe by export from your database manager. Take a sha1 of each password, then submit those. That way you aren't trusting any random 3rd party sites to run safe code.

Not trying to be a pedant, but wouldn’t “[...]it’s far from clear[...]” be (more?) correct?

If it’s ‘far from unclear’, it would seem to imply things are rather clear, IMHO.

I completely agree. Maybe this was the mental model:

    far from unclear           unclear      clear   far from unclear
          ^                                               ^
          |                                               |

Heh, sure, "far from clear" is what I meant to say.

It would take substantial time, expertise, and effort to audit that single web page. Even then any of the numerous pieces could change at any time.

So the risk is high, especially for something you are putting trusted passwords into.

You're either not reading the "how this protects your password" link that's on top of the page or claiming it's wrong. [1]

It sends the first N characters of the SHA1 hash of the password you provided to the server, the server replies with all the hashes it knows with that prefix, and then the client-side JS compares it to the rest of the hash it has.

If you don't believe me, you can look at the request said site issues for some arbitrary string - it's just the first 5 characters of the SHA1 hash, and the response from the server is as I (and that link) describe.

[1] - https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...

So you are trusting the HTML/CSS and javscript downloaded from troyhunt.com with your plaintext password? Not to mention various bits from cloudflare.com, and other places.

There's some code that page uses: http://az416426.vo.msecnd.net/scripts/a/ai.0.js

Note the lack of https.

You are going to trust a page with that code with your important passwords?

Sure it claims to anonymize it first, but most don't know enough code to verify it themselves.

Much like trusting curl https://whatever.com | sudo /bin/bash


If you are that distrusting, then do the SHA1 conversion yourself. It isn't that complicated:

  sha1=$(echo -n 'happy123' | tr -d '\n' | openssl sha1)
  result=$(curl https://api.pwnedpasswords.com/range/${sha1:0:5} 2>/dev/null | grep $(echo ${sha1:5:35} | tr '[:lower:]' '[:upper:]'))
  echo "Count: ${result#*:}"
With that, I can see that the password 'happy123' has been "pwn'd" 70,617 times.

So your claim has gone from "it uploads the password to the server" to "you trust unverified Javascript".

No, I don't have any particular reason to trust it.

I was just pointing out that the claim you made was inaccurate.

Well it does, if you have javascript off, from the source (page says "If you submit a password in the form below, it will not be anonymised first")

Troy seems to have a fine reputation, but I don't want to trust the crown jewels (my passwords to everything) on Troy's reputation, the security of his site, cloudflare, and random javascript bits hosted in various places.

So sure the design and explanation of the page is that passwords are not uploaded. But since I can't practically verify that myself, I wouldn't upload passwords there. What's worse is even if I could audit every line of code, I couldn't guarantee other people wouldn't get a malicious version of the site.

So generally saying "Sure, type your password into a form on this webpage, I found an explanation that says it's not uploading it." is a very bad idea.

There's similarly plausible pages for things like generating SSL certs (not just CSRs), ssh keys, generating passwords for you, and similar that often have reassuring explanations that their security is just fine.

So generally never put your private key or plaintext password where a random 3rd party might read it. The promise that some anonymization process will be applied should not be enough to get you to risk it.

This reminds me of: http://bash.org/?244321

Please stop inventing claims to disagree with.

I claimed your initial unqualified statement, that it uploaded your password, was inaccurate, with both an explanation of what it was doing and the claim that I had not seen any evidence of it doing anything else.

I did not claim the site was not vulnerable to MITM or other injection attacks.

I did not claim you should trust this or any other resource with your password or any other data.

How about if you go to another device which you have not used before (maybe a library or internet cafe), do not identify yourself to the web in any way, open a sole link to that page and enter the passwords you wish to check. They are checked, but there is nothing to link them to you?

Of course, if we don't completely trust Troy Hunt and everybody associated with the site then we could assume that now those passwords have been added to a secret list of known unknowns, to use when trying to crack the hashed files they already have stored.

Security sure is difficult! I know it says at the top of the article that it is pitched at non-technical people but most of the people I know would have glazed over in the first few paragraphs..

> He's suggesting using (the link is from your link): https://haveibeenpwned.com/Passwords

Please don't make false assertions about what I was suggesting without any evidence.

Pwned Passwords consists of a number of tools, which one you choose to use depends on the concerns you have and the effort you choose to put in. Both the API and the SHA download files provide secure means of checking if your password is present in this data dump.

I would certainly not put any live passwords into the webform.

You replies in general have be combative and seeked to push people into positions that you could argue against for internet points.

You could have made your points in a much more constructive and concise manner:

Pwned Passwords is a great data set, I would recommend against using the webform to check your password, instead download the hash file or utilize the extremely simple api. The webform is insecure because...

I just use diffirent email for each service, so I could identify leaks.

>So I guess just assume all your passwords are cracked and use a password manager.

I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.

For me, it was leaked through boltcd, elance, and reseller ratings. All those emails had been regularly leaked.

I know because every time I register for a site I use site@mydomain.com as my email.

Troy's site does indicate which site breach it came from generally. I ran my emails and found it funny when myspace came up (and others I was aware of). I guess I did have an account there after all but I've used password safe for over a decade and always have unique passwords including that one from 2007.

But most of these breaches are just aggregation of passwords he found like in this particular example. It doesn't tell you which website got hacked originally.

I took the habit of giving a unique random alias to every website or service who requires my email. The additional benefit is that I can single out where the breach (or spam) came from if I see that unique alias. I only started doing that about 3-4 years ago and so far only the dailymotion breach popped up.

You can also do that with gmail by using the login+alias@gmail.com syntax but it's well known and trivial for a hacker to defeat.

I've found that a lot of sites will not accept an email with a + in it nowadays.

He has a service that lets you enter a password to check if it’s been pwned though. I guess these are disassociated from user emails?

Still seems insane to upload your password.

> So I guess just assume all your passwords are cracked and use a password manager.

Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.

I know which passwords were breached by all the emails I get telling me "we know your password is XXXXXXXXX. Pay up or else". There's 4 or 5 in the first 30 messages in my email spam folder. >:(

Hmmm? He tells you which breach it came from, so in my case I know LinkedIn, Adobe, Dropbox, Binweevils (thanks kids!)

In my case I have an email that was found in Collection #1, but without knowing which site(s). It's an information I'd like to know.

You can check the sites involved in the pastebin directory list though.

Reading this tweet ( https://twitter.com/troyhunt/status/1085095504197779456 ), I've just donated the price of a coffee to Troy ( https://haveibeenpwned.com/Donate ), and you should too.

HIBP is quickly becoming a critical piece of the Internet security infrastructure, and Troy should be lauded for undertaking it basically by himself.

I like the service. I just donated, too.

> Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)

I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.

From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.

[1] I lied, i love being that guy.

I got a notification today that my domain has been included in this collection.

But as far as I can see it is gibberish spam-mails. I see 500+ entries such as:

i.e. None of these emails at my domain are real, nor have they ever been real.

That said if you allow password-based authentication on a server which is shared you might consider using my PAM module:


It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.

Someone from a well-known leak forum is claiming that the "Collection #1" discovered by Troy Hunt is only part #1 of all available collections (there are at least 5, and additional other dumps). He also posted a screenshot of the original sales thread of the owner. The dumps together seem to have a total size of almost 1TB.

Not sure whether it's cool to post any links here.

If you're using keepass, there are some plugins to check against HIBP: https://keepass.info/plugins.html

I'm gonna download the passwords offline and try this plugin: https://github.com/mihaifm/HIBPOfflineCheck

(you can grab the offline passwords from here: https://haveibeenpwned.com/Passwords )

What's the latest consensus on the best password manager these days. I see he is recommending 1Password, but I recently found Bitwarden which looks quite good.

Bitwarden (https://bitwarden.com/) is great and scores well in feature comparisons -- there was one on here recently. It's open source and has recently been audited too. It's free for the basic service, and really cheap for additional features. Great mobile apps and a web vault. And you can self-host. No bad points really.

The things that held me back from Bitwarden is the relatively short age of the company at 2~ years and the fact that there is only one dev. I'm reaching here. But even though the code is open source, he still owns the distribution. He can potentially be compromised (whether maliciously or not) and release an update that uploads the entire vault to him unencrypted. It could take a while before the internet caught on that the source code doesn't match the release build.

This of course could happen in a company like 1Password and there is at some point that I need to make the call and trust the person(s) coding the password manager. I feel that with 1Password there's at least the large size of the company which would mean more eyeballs and accountability. There is also the history of the company at 12~ years. This includes vetting and buy in from larger companies, which inspires a vote of confidence.

FWIW Bitwarden checks off nearly all the other boxes for me and I think the single dev has done a seriously bang up job.

All valid points. I guess nothing is perfect and you just need to decide where you're happy to compromise.

I recommend this one too. The paid subscription option also gives you encrypted file uploads. Great for those 2FA backup code lists.

I'd agree with him: 1Password

- long history - to me it's the original password manager

- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/

- flawless experience

I use keepass. There are mobile apps and it can load from a cloud account.

KeePass + Syncthing + YubiKey = Awesome, and free!

Does keepass support yubikey out of the box or is there a certain plugin you use? What do you do about mobile?

KeePassXC supports YubiKey out of the box. I do not access anything important via phone. I usually have my laptop nearby anyway.

Now I just recommend to people (who don't understand password managers) to use chrome's built-in feature.

It's better than using the same password.

I used to think this, but I think this is actually bad advice for a few reasons.

1. People are bad at making new passwords 2. Someone might clear their browser history and delete the logins as a result. 3. Lock-in into the Chrome ecosystem.

I personally use KeePass, but I understand it is a bit cumbersome to carry around a USB stick.

I'd recommend LastPass to those who don't understand simply because it has a free tier, but everyone else should seriously consider paying the 2$ a month for whichever service they use.

Chrome now has a "generate password" option in password fields, and a page where the passwords can be managed.

For the people I'm talking about, installing and maintaining a "real" password manager isn't going to happen. The alternative is for them to continue using "Nameofcat1" for every damn site.

It's a reasonable trade-off.

I tried using Chrome's built in feature but I found the password field was set up wrong on many sites and therefore the "Generate Strong Password" wouldn't be an option. I've since started using BitWarden.


My email/pw is in there but there is easy way to know from which website so I don't know which password I have to change.

All my passwords are randomly generated so they are different for all websites.

so strange ...

i’ve checked again if i was pwned and on the top there is a service i’ve never signed up - Apollo, a sales acceleration platform

i’m a simple dev and never subscribed to a sales service ....

I got the same. Anyone here know what is Apollo?

Same here. I had never heard of them. Turns out they're a YC'15 startup (https://www.apollo.io/company/). There are no passwords in the data they lost according to HIBP. They seem to collect personal data from various sources and help other companies increase sales.

So not only do we have to worry about websites we actually use being compromised, but we also have to worry about these sketchy third-party companies that have purchased our data being hacked.

There is the rumor that it is called Collection #1 because it was part of a larger dump consisting of Collection #1, Collection #2, etc. There is also the rumor that the whole set was sold for - now hold on tight - the ginormous sum of $45.

Let say my email appeared on Pwned list. And given most ( at least I think most ) people have zillions of web forums, services, sites, services using the email address.

What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.

I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?

Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.

Just use a different e-mail and password for each web site.

Got a few 'hacker' emails on one of my throwaway addresses on this list the last few days. That account was leaked before in another list so this was not worrisome as I get those all the time for this address.

What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?

Gmail, and other large providers, use filters that adapt based on user input. If you report the messages as spam then the filter will learn, and hopefully catch them the next time.

Anyone got a link to the actual data?

There's a .torrent of Collection #1 available here:


I found the link via a comment on /r/pwned [1]. I think it originally came from RaidForums [2].

[1] https://www.reddit.com/r/pwned/comments/agsjie/troy_hunt_the...

[2] https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPub...

In case nobody else has anything better: check the discord server of the-eye.eu .. My guess is that there is somebody who has it.

Oh, it must be Tuesday. I've just updated my blog post[0] with some password best practices and it's amazing how little has changed in the last 4 years.

[0] https://darekkay.com/blog/another-password-leak-oh-must-tues...

Funny, I downloaded about 700GB of password dumps last week trying to figure out how someone got one of my passwords (no big deal, they never managed to access anything)

Maybe it was this one.

HIBP doesn't protect the privacy of searched passwords!

Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.

Here's one more record to add: my HN password is my username. Feel free to use this account for anonymous well-intentioned posting.

Heh, plausible deniability

... but with a non-trivial risk of someone else locking you out from your own account.

Thank you for upvoting my post :-)

That's a nice display of trust in the community.

That is a lot of trust.

Nice, thanks!

You’re welcome, it may be an interesting social experiment to watch

FWIW, this comment was not made by me, the creator of this account.

We've banned this account. Please don't do signal/noise-destroying tricks on HN.

If you want the account unbanned, feel free to email hn@ycombinator.com with evidence that you own it and a promise not to do stuff like this.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact