Largest dump in history: 2.7 billion records; 773 million of them unique; 140 million never seen before

Originally published at: https://boingboing.net/2019/01/16/87-gb-12000-files.html

…

“…a billion here, a billion there…”

So you’re saying it’s time to change my password? I mean, passwords?

Apparently I’ve been pwned. Changed my passwords. I have 2FA enabled already, and my old password wasn’t compromised, but better safe than sorry.

I have been pwned on 2 websites out of probably hundreds. I’ll call that a win.

Hmm. Tempting to put up a honeypot that’s “crackable” with vast amount of random user/passwords.

I’ve been on these lists before, and it’s annoying because elite hackors keep trying to access my bank account using my “insecure web page password” instead of the “only that bank really long password” and keep triggering the bank to shut the account down.

Did someone say “the largest dump in history”?

Rosner-Fast-Food-Trump.jpg1121×630 206 KB

Clean bill of health. Nice

Good time to remind everyone that:

• The BBS supports two-factor auth (2FA). Find it in your settings.
• The reason to use the various login options we support (Google, Github, etc) is that they will block suspicious logins here, too. If you can’t/won’t enable 2FA, those are your next best option.
• regardless of the above, get/use a good password manager, and use dedicated, unique passes for everything.

My e-mail provider allows for up to 100 aliases for my account so I use unique e-mail addresses for banking, shopping, commenting on the internet, etc… So far none of the important ones have shown up on any of these lists.

It’s actually very easy to come up with unique passwords for everything and have them written down in a way that avoids the evil maid problem. Here’s an example of an easy to remember, but hard to crack, Facebook password:

Ykwctam$?

That string of letters and symbols is difficult to remember, but you know what’s easier to remember? “You know what’s cooler than a million dollars?”

And, writing the password down in a notebook could be as simple as:

$1B

This would be meaningless to any third party, but would immediately remind you of the password. Quotes from movies, lyrics, lines of poetry… anything you can remember offhand can be turned into an acronym for a password.

Oh no, I got pwned, too. Discus and LinkedIn. Hmm, should I change my passwords? Nah, let the hackers have those accounts.

jokes on them, i’m actually a honeypot

A database of names and passwords weights 87Gb?!

Why not a simple txt file? What I am missing?!

Apparently I’ve been pwned on MySpace… MySpace? I don’t remember ever having joined MySpace.

So what exactly does it mean if your email adress has been “pwned” but not the associated password? Just that the adress will show up in lists for spam but the account can’t be logged into?

I got a hit and after some reverse-checking, found it was a password related to the old windows app for tweetdeck. Weird.

So how do you find out what site your email has been “pwned” for? Changing all my passwords would probably take a week!

Only four breaches for my email address, and those are old breaches where I have since changed my password.
That’s the annoying thing about the “Have I Been Pwned?” website. There’s no way for it to practically update its records, so once your email account has been compromised, as far as the site’s concerned it’s compromised forever.