Hacker News new | past | comments | ask | show | jobs | submit login
DarkBeam leaks billions of email and password combinations (securityaffairs.com)
82 points by exKitsune on Sept 28, 2023 | hide | past | favorite | 36 comments



Each time a breach like this happens I want to download the file and check if

1. My emails are in the dataset, and

2. Any of my passwords are in that dataset.

I really just want the collection of passwords so that I can use it as a check against any of my current passwords.

[EDIT: I know about haveibeenpwned.com; I'm not asking for a service that I send a http request to to determine if a single username exists in the db, I want the db itself so I can chuck it into sqlite and check multiple records at a single time, quickly, for both usernames alone and passwords alone

I also believe it's a bad idea to ask a third-party to perform the check. Even if you trust that third-party now, there is no way to ensure that trust in the future - i.e. it gets bought, breached or pwned itself in the future and best case scenario is that the record of your username lookup is available as "confirmed". Without visiting that site, no one would never know if that record was a throwaway or not.]


HIBP lets you download their hashed passwords DB to check against.

https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader


If you use any of the better password managers this feature exists and runs automatically. If you don't want to go that route, then you can make use of https://haveibeenpwned.com/


I have a gmail account which google one shows, it along with a username has been leaked on dark web, but haveibeenpwned shows email was not found in any data breach. How is that possible?


They're using different data sources.


Thank you, I've edited my comment to be more specified


I agree - download all the passwords and don't single out what you're checking for someone else to see.

I don't know why we can't use this kind of thing for better privacy everywhere.

A similar example (outside the realm of passwords) would be when checking for a software update. Instead of sending "i have software xyz version 1.2.3", just download a current list of software and check it locally against your software. Probably would be faster anyway to download a static dataset instead of hitting a remote database.


Services already exist that does this. Some password managers will check but the popular service often talked about on here is https://haveibeenpwned.com/


Thank you, I've edited my comment to be more specified


Download Have I Been Pwnds dataset then: https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader


They used to publish a torrent with hashes, but then went full SaaS.


Each time a breach like this happens I want to download the file and check if;

1. People on my s*t list are in the dataset, and

2. Any of their passwords are in that dataset.

Then I can use the information to make their lives miserable.


Darkbeam was acquired by apexanalytix only two days ago. [0] Hope they are still happy with their purchase...

[0] https://www.darkbeam.com/blog/apexanalytix-acquires-darkbeam


The data breach announcement is a bit vague on the meaning of “login pairs”. The best practices of breaches databases of the like of https://haveibeenpwned.com/ is to maintain records of login matter (username, email, password etc) in a strongly hashed format. This still enables searching and comparing but not extracting for later use. Why the database here looks like plain text is totally unclear. Or maybe the passwords are hashed here also (which anyway exposes email addresses)?


The company I work for (stytch.com, we provide an authentication API) tracks breached passwords and, depending upon config, will invalidate passwords that have been leaked. Will be interesting to watch our logs over the coming weeks.


This reminds me of [0] where they maintain composite lists of frequently used passwords. Also in the repo is probably my favorite pull request ever [1].

[0] https://github.com/danielmiessler/SecLists

[1] https://github.com/danielmiessler/SecLists/pull/155


.. do you happen to have a service that lets users know if their password was in the breach?



^yup, haveibeenpwned is the best public service to check this sort of thing. I don't think they've pulled it in yet.


yeah but do they have this breach yet?

edit: the OP suggests there are some password lists that are known leaked but not in public leak docs. not sure if pwned is only public leaks?


I suppose it would require a good few domains and or public mail boxes but imagine if one was to create n fake users for each real user. If any of the fake users log-in on their account all users are forced to change their password.



Thanks, fascinating stuff. Now if you excuse me, I have swarms of canaries to make.

https://canarytokens.org/generate


>Use our personal data leak checker to see if your data – email, phone number, or password – has been leaked.

What is the chance that my email and phone number aren't everywhere? Email and phone aliases are still rare.


Culprit: non-password protected instances


The irony is darkbeam positions itself as a digital risk management platform. A based SOC2 security audit would reveal these vulnerabilities.


No. Only if the database was exposed at the time of the audit.


Well, if you have some compliance automation. These things are caught very easily.


The things you're saying make it sound like you are harming clients by misrepresenting security to them.

Security has to start from "when", not "if", precisely because it is fundamentally impossible to guarantee.


That sounds like a slam-dunk GDPR violation case and a hefty fine.


Oh the irony


Multifactor authentication or bust.


No evidence is presented that anybody but the security researcher noticed the unprotected data. The data is a compilation of previously leaked emails.


"exposing records with user emails and passwords from previously reported and non-reported data breaches."

I think you mean to say that there is no evidence presented precluding someone grabbing the data?


Not sure what your point is about non-reported, but that's still previously leaked data. It probably means stuff found in the dark webs.


[deleted]


To +1 this:

>... from previously reported and non-reported data breaches.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: