Category Archives: password

Collection #1 Data Breach Exposes Nearly 733 Million Records, Highlighting Need for Multifactor Authentication

The theft of nearly 733 million unique email messages and 21 million passwords underscores the urgent need for multifactor authentication in the enterprise.

First discovered by security researcher Troy Hunt, records from the data breach were published to a hacker forum as well as the cloud-based service MEGA, though they have since been removed.

Dubbed Collection #1, the perpetrators behind the theft remain unknown, but the volume of 12,000 files suggests that it may have involved multiple incidents and actors. Cleaned-up versions of the files have been loaded into Have I Been Pwned, which users can leverage to check whether their data was compromised in the breach.

Why Collection #1 Data Is Particularly Dangerous

While any data breach of this magnitude would raise concerns, the files included in Collection #1 include login credentials that have been dehashed. In other words, the threat actors who stole the information were able to convert it into plain text.

This could make it a lot easier for attackers to use those credentials to break into various email servers and other online systems. By using bots, for instance, threat actors could launch credential-stuffing attacks to access multiple accounts with the same stolen password, as Forbes pointed out.

Use Multifactor Authentication Where It Counts

The Collection #1 breach serves as a reminder that a password alone is not enough to protect data from theft or misuse. When emails, login credentials or other files belonging to a business or government organization are compromised, the risk of financial or reputational damage is even greater.

Obviously, the sensitivity of this data necessitates stronger protection for individual workstations and business applications, but IT professionals should also consider the security of the mainframes that keep so many operations and processes running within the enterprise. Multifactor authentication adds layers of defense that credential-stealing threat actors will need to penetrate to access the mainframes, devices and IT infrastructure that holds valuable enterprise data.

The post Collection #1 Data Breach Exposes Nearly 733 Million Records, Highlighting Need for Multifactor Authentication appeared first on Security Intelligence.

773 million records with emails & plain text passwords leaked online

By Waqas

It’s a whopping 87GB data – Find out if you are affected by the massive data breach. Security researcher and founder of Have I Been Pwned, Troy Hunt, has revealed that around 773 million ‘unique’ email IDs and 22 million ‘unique’ passwords were available on MEGA cloud service. Later on, the same data was found posted […]

This is a post from HackRead.com Read the original post: 773 million records with emails & plain text passwords leaked online

Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach

A data breach known as “Collection #1” exposed approximately 800 million email addresses as well as tens of millions of passwords. In the beginning of January, multiple people reached out to Australian web security expert Troy Hunt about a sizable collection of files hosted on cloud service MEGA. This collection, which is no longer available […]… Read More

The post Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach appeared first on The State of Security.

Reddit users locked out of accounts after ‘security concern’

Reddit users locked out of accounts after 'security concern'

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a “security concern.”

The lockout has occurred as Reddit’s security team investigates what appears to have been an attempt to log into many users’ accounts through a credential-stuffing attack.

Read more in my article on the Tripwire State of Security blog.

Reddit users locked out of accounts after “security concern”

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a "security concern."

The lockout has occurred as Reddit's security team investigates what appears to have been an attempt to log into many users' accounts through a credential-stuffing attack.

The post Reddit users locked out of accounts after “security concern” appeared first on The State of Security.

Abine says Blur Password Manager User Information Exposed

Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. 

The post Abine says Blur Password Manager User Information Exposed appeared first on The Security Ledger.

Related Stories

Porn Extortion Email tied to Password Breach

(An update to this post has been made at the end)

This weekend I received an email forwarded from a stranger.  They had received a threatening email and had shared it with a former student of mine to ask advice.  Fortunately, the correct advice in this case was "Ignore it."  But they still shared it with me in case we could use it to help others.

The email claims that the sender has planted malware on the recipient's computer and has observed them watching pornography online.   As evidence that they really have control of the computer, the email begins by sharing one of the recipient's former passwords.

They then threaten that they are going to release a video of the recipient recorded from their webcam while they watched the pornography unless they receive $1000 in Bitcoin.  The good news, as my former student knew, was that this was almost certainly an empty threat.   There have dozens of variations on this scheme, but it is based on the concept that if someone knows your password, they COULD know much more about you.  In this case, the password came from a data breach involving a gaming site where the recipient used to hang out online.  So, if you think to yourself "This must be real, they know my password!" just remember that there have been  HUNDREDS of data breaches where email addresses and their corresponding passwords have been leaked.  (The website "Have I Been Pwned?" has collected over 500 Million such email/password pair leaks.  In full disclosure, my personal email is in their database TEN times and my work email is in their database SIX times, which doesn't concern me because I follow the proper password practice of using different passwords on every site I visit.  Sites including Adobe, which asks for you to register before downloading software, and LinkedIn are among some of the giants who have had breaches that revealed passwords.  One list circulating on the dark web has 1.4 BILLION userids and passwords gathered from at least 250 distinct data breaches.)

Knowing that context, even if you happen to be one of those millions of Americans who have watched porn online.  DON'T PANIC!  This email is definitely a fake, using their knowledge of a breached password to try to convince you they have blackmail information about you.

We'll go ahead and share the exact text of the email, replacing only the password with the word YOURPASSWORDHERE.

YOURPASSWORDHERE is one of your passphrase. Lets get directly to the point. There is no one who has paid me to investigate you. You don't know me and you are most likely wondering why you are getting this mail?
In fact, I actually installed a malware on the X video clips (porn) web site and do you know what, you visited this site to experience fun (you know what I mean). When you were watching video clips, your browser initiated functioning as a RDP that has a key logger which provided me accessibility to your display screen and also cam. after that, my software obtained your entire contacts from your Messenger, Facebook, and email . After that I made a double-screen video. 1st part shows the video you were viewing (you've got a nice taste omg), and next part shows the view of your web cam, & its you. 
You have got not one but two alternatives. We will go through these choices in details:
First alternative is to neglect this email message. In such a case, I will send out your very own videotape to all of your contacts and also visualize about the embarrassment you will definitely get. And definitely if you happen to be in a romantic relationship, exactly how this will affect?
Latter solution is to compensate me $1000. Let us describe it as a donation. In such a case, I will asap delete your video. You can go forward your daily life like this never occurred and you surely will never hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google). 
BTC Address: 192hBrF64LcTQUkQRmRAVgLRC5SQRCWshi[CASE sensitive so copy and paste it]
If you are thinking about going to the law, well, this email can not be traced back to me. I have taken care of my moves. I am not attempting to charge a fee a huge amount, I simply want to be rewarded. You have one day in order to pay. I have a specific pixel in this e-mail, and now I know that you have read through this mail. If I do not receive the BitCoins, I will definately send your video to all of your contacts including family members, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the video right away. If you really want proof, reply with Yes & I definitely will send out your video recording to your 5 friends. This is the non-negotiable offer and thus don't waste mine time & yours by responding to this message.
This particular scam was first seen in the wild back in December of 2017, though some similar versions predate it.  However, beginning in late May the scam kicked up in prevalence, and in the second week of July, apparently someone's botnet started sending this spam in SERIOUS volumes, as there have been more than a dozen news stories just in the past ten days about the scam.

Here's one such warning article from the Better Business Bureau's Scam Tracker.

One thing to mention is that the Bitcoin address means that we can track whether payments have been made to the criminal.  It seems that this particular botnet is using a very large number of unique bitcoin addresses.  It would be extremely helpful to this investigation if you could share in the comments section what Bitcoin address (the "BTC Address") was seen in your copy of the spam email.

As always, we encourage any victim of a cyber crime to report it to the FBI's Internet Crime and Complaint Center by visiting ic3.gov:



Please feel free to share this note with your friends!
Thank you!

UPDATE!!!

The excellent analysts at the SANS Internet Storm Center have also been gathering bitcoin addresses from victims.  In their sample so far, 17% of the Bitcoins have received payments totalling $235,000, so people truly are falling victim to this scam!

Please continue to share this post and encourage people to add their Bitcoin addresses as a comment below!