A huge 600 gigabyte file containing about 2.2 billion compromised user names and passwords has been sighted floating on the obscure web, freely available for anyone who wants to download it via torrents. While the words "good news" and "violated accounts" never belong to the same sentence, the little silver lining here is that this seems to be a collection of old data rather than any kind of new violation.
The information in the file is basically a rundown of material from the biggest data breaches in recent years: Yahoo !, LinkedIn, Dropbox and more. The violated accounts are not limited to these incidents, however, because security researchers have found credentials in the file that date back to 2008.
It is unclear whether data from any of the recent Facebook violations are present in this data dump. Mark Zuckerberg and his two billion Facebook users are probably not at risk from what we know so far; Cambridge Analytica and token accesses in September 2018 (whose last report was initially reported as affected by 50 million users) did not expose user account access credentials to the general public. However, this collection of violated accounts includes enough important websites that everyone should pay attention to.
The information contained in this file was mostly already available to the public, or at least widely used by the hacking community in recent years. Probably high-level professional hackers have already discovered it and have made their shots with these accounts violated at this point.
The news of the release plus the convenience of having all these credentials in one place can encourage amateurs to take a rough draft on some of these accounts, however. Any old password that may have been included in this should be changed immediately. It would also be prudent to review the violations of the included data to ensure that no other compromising or exploitable data may be available from the violated accounts found in this file.
Sources of accounts violated
68 million Dropbox user accounts were compromised in 2016. Attackers exploited an improperly protected employee password to get e-mail addresses and passwords with hashes and saves accounts from violated accounts created in 2012 and earlier. The data were initially offered for sale on the obscure web, but were quickly obtained from a number of technology magazines and security publications.
The LinkedIn accounts of around 170 million people were compromised in 2012, but the data remained in private hands until they appeared unexpectedly on the dark web in 2016. Hackers gained access to email addresses ( linked to LinkedIn member ID numbers) and hash passwords.
Yahoo! suffered two serious security breaches, one in 2013 and one in 2014. Among these, it is believed that almost all of the Yahoo! the bill created before the violations was influenced – this means at least three billion in total. Yahoo! he started reporting the details of these violations in 2016, but until 2017 it was not known until 2017. The FBI accused the hackers who worked for the Russian federal security service with the crime.
Myspace was hacked at some point before 2013, when the pioneering social network still had a significant user base. The violated accounts come from that period of time. Details of 360 million accounts in total were compromised during this data breach, including e-mail addresses and birth dates.
150 million Adobe users suffered violated accounts in a 2013 attack. Stolen data included access details (email with password hashes) and credit card numbers.
Other possible inclusions
These are just the largest of the known data sets included in the recent compilation. It is possible that other sources, both large and small, may be present in the billions of details of the account contained therein.
Other serious breaches of similar data occurred at Marriott (500 million accounts), Adult Friend Finder (412 million accounts), eBay (145 million accounts), Heartland Payment Systems (134 million accounts), Target ( 110 million accounts) and the Sony PlayStation Network (77 million accounts) during this time period.
This incident serves as a reminder to put in place good security hygiene and send reminders to employees, regardless of whether or not personal data has been archived in the collection.
Passwords should never be used more than once and should be a long mix of letters, numbers and symbols. A good password manager can greatly help to decomplicate this process. With a password manager, you need to remember only a strong password (or set up an alternative authentication method such as biometric data) to access all other user accounts.
The fact that passwords have been (in most cases) hashed and salted in these losses is something that simply slows hackers instead of stopping them. With hash data in hand, a hacker can simply "force" them locally to their liking. This filters the amount of people in the world with the necessary equipment, knowledge and inclination to do it, but rest assured that they are out there.
If you are worried that a particular account will be compromised, Have I Been Pwnd can inform you if a particular email address or password has been detected in any known data set. You will enter each one individually, and the site will not tie them together in any way.
It is very likely that there will be an increase in activity on the accounts associated with this violation, as this was the model with every loss of high profile public data of this nature to date. Some hackers will see this information for the first time and will want to test it. Although most of the accounts involved were probably notified and protected at this point, even a small non-guaranteed percentage would be worth it for hackers. For example, if only half a percent of the accounts in this violation remained vulnerable, it would still be over one million ripe and ready for exploitation.