[HN Gopher] Data leak contains 26B records from numerous previou...
___________________________________________________________________
Data leak contains 26B records from numerous previous breaches
Author : el_duderino
Score : 112 points
Date : 2024-01-23 16:50 UTC (6 hours ago)
(HTM) web link (cybernews.com)
(TXT) w3m dump (cybernews.com)
| Sai_ wrote:
| Clicking on the posted link seems to send the malwarebytes
| website server into a reload loop.
| jacquesm wrote:
| Suggested link change:
|
| https://cybernews.com/security/billions-passwords-credential...
|
| The other is just a way for malwarebytes to get some clicks and
| contains very little information.
| dang wrote:
| Ok, changed to that from
| https://www.malwarebytes.com/blog/news/2024/01/the-mother-of...
| above. Thanks!
| hdlothia wrote:
| I feel like the people who calculate that it's more cost
| effective to deal with the hit from a security breach vs spending
| money on good security have won.
|
| I have gone from feeling outraged to completely numb to these
| kind of disclosures and have pretty much just assumed that my
| information will inevitably be leaked somewhere by someone.
|
| Does anyone else feel this way? I just keep a close eye on my
| financial statements and hope for the best.
| SketchySeaBeast wrote:
| It exhausting. It's a sense of continual doom.
| Aardwolf wrote:
| With email addresses you can use multiple to not be too
| affected. But phone numbers are less replaceable than email
| addresses...
|
| And what's annoying is that more and more things now also
| require phone numbers (like, seriously, in the past an email
| address was enough but today the simplest thing you want to
| signup for uses some third party booking platform (which means
| yet one more party that gets to leak your data) that wants your
| phone number; even a railway company can't manage its own login
| anymore. In the mid 2000's I would have thought phone numbers
| would die and internet would become the new way to communicate
| but nope, they suddenly became more important instead)
| lencastre wrote:
| The simplest thing require full name, address, birthdate,
| age, yes age, mobile phone, fiscal number, last four digits
| of the credit card, expiration date of credit card, yomama's
| maiden name, the middle 8 digits of your credit, your last
| used password, your pet's name, the name of the high school
| you attended, favorite football team, a front and side
| pictures no smile no hats no glasses, hi resolution scan of
| government issued ID, and lastly the first four digits.
|
| That's about it.
| Aeolun wrote:
| Hey! Don't you have all digits of my CC now?!
| autoexec wrote:
| I still feel like this is why the penalties for allowing user's
| data to be leaked should be harsh enough to make it worthwhile
| for companies take even basic steps to protect other people's
| data, or even better, to avoid collecting it or keeping it in
| the first place.
|
| Since that hasn't happened yet, I try to avoid handing my data
| over when I can.
| stvltvs wrote:
| Agreed, perhaps requiring companies who handle sensitive data
| to carry insurance and licensing engineers who build those
| systems, something like the PE.
| doubled112 wrote:
| > licensing engineers who build those systems
|
| The IT and software industries would really change. Perhaps
| for the better, but perhaps not.
| HeatrayEnjoyer wrote:
| I can't possibly see it becoming worse. This isn't the
| 90s any more, computing and the internet are no longer
| cute novelties but infrastructure just as critical as
| electricity or airport communication. Software
| "engineering" has been due for the professional licensure
| and direct liability that every other serious industry
| has had for a century.
| basch wrote:
| It's time for attorney generals to hold permanent identity
| monitoring pots and funds.
|
| The idea that someone can lose all your data and then pay for
| two years of identity monitoring is absurd. The people with the
| data can see that and can just wait two years to sell it.
| Social security numbers don't reset after two years.
|
| If you lose data, you pay a data breach tax forever. Over time,
| your competitors will be able to run with lower margins if they
| stay secure. As companies die out, the remaining breaches ones
| are responsible to keep footing the bill.
| stvltvs wrote:
| It should all be free, like getting credit reports is now. We
| need a robust and accessible way to manage our data personas,
| assuming that all of the supposed secrets are in fact public
| data.
| kingforaday wrote:
| As a reminder for any US Citizens, there is an official
| path to getting this from each of the main three for
| free[1] is the approved method verified by FTC [2].
|
| 1. https://annualcreditreport.com
|
| 2. https://consumer.ftc.gov/articles/free-credit-reports
| kelseyfrog wrote:
| It also incentivizes holding as little personal data as
| possible and increases the probability of coordinated
| adoption of systems[1][2][3][4][5] of
| identification/verification that minimize collateral damage.
|
| 1. https://sovrin.org/
|
| 2. https://github.com/sertoID/
|
| 3. https://www.hyperledger.org/projects/hyperledger-indy
|
| 4. https://identity.foundation/ion/
|
| 5. https://www.civic.com/
| mindslight wrote:
| Further cementing this broken idea of "identity" as something
| that can be stolen is most certainly not what we need! Rather
| we need AG's to start going after companies that attempt to
| collect negligently verified and other fake debts for the
| _outright brazen fraud_ that it is, and a law that allow
| victims to procedurally recover triple damages for time
| /money spent defending against these companies and helping
| the companies clean up their own messes. Separately, we need
| a law like the GDPR that lets individuals audit, control, and
| opt out of the surveillance records being kept on us.
| hypeatei wrote:
| Exactly. The whole idea that end users are responsible for
| their stolen "identity" is absurd.
|
| It was a successful tactic used by banks and credit bureaus
| to shed their responsibility of proper verification when
| opening lines of credit or other accounts.
| jimt1234 wrote:
| I would go one step further, saying that proper
| verification is prone to fraud because of failure in
| government (in the US; not sure about other countries).
| It still baffles me that identification typically comes
| down to two things: social security card and driver's
| license, and both are managed by agencies whose primary
| objective is _not_ identification. IMHO, it 's time for a
| single agency at either the fed or state level that's in
| charge of just identification. That's it. Fund that
| agency and let them do it properly. However, inevitably
| someone will scream "Big Brother!", and we'll end up back
| where we started, with this Rube Goldberg system that
| basically leaves individuals to fend for themselves.
| mindslight wrote:
| I'll go yet another step further, and say that the main
| opposition to having a better technical system of
| government identification is because we're lacking a
| comprehensive privacy law akin to the GDPR. As it stands
| if the government started say issuing smart cards for
| identify verification, then every business would
| gradually force their customers to identify themselves,
| for helping the commercial surveillance industry track
| everything they do. This is the current dynamic with
| mobile apps, phone numbers, and existing static
| identifiers, and it's only held back because one can
| feign not having them and/or being worried about giving
| out that info. Whereas with actually secure technicals,
| that friction basically disappears. And so the only way
| to prevent this dynamic (and make it so better
| identification isn't itself a security vulnerability) is
| by gaining the legal right to inspect/audit/reject the
| collection, use, and storage of such information in the
| first place.
| throwway120385 wrote:
| There's also a significant constituency that believes any
| nationwide system of identity is the "mark of the beast"
| as spoken of in the Bible.
| jimt1234 wrote:
| This is the best comment ever. Thank you! ... The narrative
| around "identity theft" and "personal data" needs to
| change.
| ChrisMarshallNY wrote:
| _> two years_
|
| _TWO_ years?
|
| I have had my data pwn3d a couple of times. One was six
| months', the other was one year, and Experian used that as
| leverage to unendingly nag me to buy into them.
| godelski wrote:
| I'm very open to government solutions, but at the same time
| I'm not sure they have a good track record. Despite that,
| this service should come from the government because anyone
| else has misaligned incentives. I specifically would want a
| privacy and security maximalist approach. What we have right
| now is completely unacceptable, especially given our current
| technology level. Though of course, the downside is also that
| this database becomes a big target (and that's why I want a
| maximalist approach). I don't know what the solution is, but
| I'm sure there are security experts here on HN that can lay
| out better paths and I'm interested in actually hearing what
| systems I should be advocating for (with more specificity
| than the generic thing I said).
|
| I do think we should also push back against surveillance
| capitalism. This has been a disaster. Such data breaches are
| a result of this system (and clearly it isn't even unique to
| the western world). I think any government has the power to
| hold these companies accountable in at least some form or
| another. Big dogs like US, China, and Germany should be
| leaders, but clearly they aren't as this stuff keeps
| happening.
| basch wrote:
| The service doesn't need to come from the government. A
| marketplace of services of which I can choose my own
| provider would work.
| lazide wrote:
| Until your average American suffers in some clearly
| identifiable way - which they currently don't really -
| ain't nothing going to change. And probably not even
| then.
| tootie wrote:
| I think an easier approach would be some sort of mandatory
| indemnity. Rather than trying to impose specific practices
| which very well may vary greatly depending on the domain,
| just levy automatic penalties for breaches and set them high
| enough to encourage action.
| danesparza wrote:
| This will just make companies more litigious. They'll sue
| to silence leakers and deny wrongdoing. The leaking will
| still happen.
| dotancohen wrote:
| > It's time for attorney generals
|
| Attorneys general
|
| They are attorneys, so that is the word to pluralize. What
| type of attorney are they? General
| unclenoriega wrote:
| This is an explanation poor of why that's the plural
| correct. You make it sound like that's grammar normal
| English.
| fuzztester wrote:
| Him forgive, programmer he Forth a is.
|
| You thank.
| stilist wrote:
| Nah, it's just a convention adopted from French after the
| Norman Conquest.
| namaria wrote:
| I'd say it's an inevitable state of affairs. With networked
| general computers the amount of leaked information tends to
| 100% of available information over time. Unless you can design,
| build and run absolutely safe systems.
|
| Cybersecurity is a sham, a bolt on industry extracting rent out
| of the mobile internet junkies we've become.
|
| We want to have an endless stream of entertainment and trivia
| so bad we've actually built homes with locks that connect to
| the internet. You'd think a networked lock defeats its purpose.
| barrysteve wrote:
| Long since resigned.
|
| It's impossible to keep a secret on the internet. You can't
| secure military technology, bank secrets, crypto tokens or
| prevent piracy.
|
| Computers were designed to be open by default.
|
| General purpose computing mannufactured across the planet with
| everybody having a hand in the supply chain has become the
| betrayal system.
|
| Security follows the traditional Mafia protection scheme
| racket.
|
| - Some Romanian hacker leaks data from your web server and
| sells it.
|
| - You pay developers to close the vuln.
|
| - You pay cybersecurity a protection fee to prevent it
| happening again.
|
| - It happens again.
|
| Developing a real technology that can give secure control back
| to the owner-operator goes against good business incentives.
| You can't farm users and share the wealth on a truly secure
| computing model.
| chankstein38 wrote:
| 100% with you. At this point my data has been breached so many
| times I don't even know what the point of caring is. I don't
| have privacy anymore. Like you I just have credit monitoring
| and watch my financial statements and hope for the best. This
| world sucks.
| Aeolun wrote:
| That's honestly not very surprising when any company that does
| this has to suffer the consequences of... crickets?
|
| No consequences at all. It's no surprise that patching the
| holes costs them more.
|
| It's also that all these massive companies are absolutely
| allergic to any change. Unless legal gets wind of it everything
| can stay exposed if it means the status quo is maintained.
| godelski wrote:
| I just went through a call with my credit card company. 4
| transfers later the only verification I've been asked is the
| last 4 of my social, my name, and when I was at the "highest
| level" of security they took the amazing step to... call me
| back. All because my credit card, which is travel focused, got
| flagged because I bought a <$300 plane ticket... They claimed I
| got an email and text message, which I got neither (I'm sure
| the email got filtered and same with the text message. Thanks
| Google. I'm glad you filtered those but not the emails
| addressed to someone else, "from" a hashed domain, and where
| the header is passed through 5 relay services -- including
| several .edus. -____-)
|
| You are not alone. It is an __absolute joke__ that my github
| account is more secure than any banking service I use. How is
| it that the only 2FA they offer is text message? A method
| that's been known to be terrible for over a decade now. Where
| are my OTPs? They give me apps on my phone, why not push
| verification there? (Vanguard recently started doing this) Why
| can't I set up hardware keys or public private keypairs? Sure,
| I get that you still got to service grandma and grandpa, but at
| least give me something. In today's day and age the two most
| important services I have are email and banking. The former is
| impossible to resolve when shit hits the fan and the latter
| doesn't even implement basic security.
|
| Something is very wrong, and I'm not sure it is even about
| money (unless short term vs long term). Dinky little websites
| implement better security than most baking services. Clearly
| the banks could reduce their spending on fraud detection and
| resolution if they added some basic security.
|
| I will note that I had a Capital One account that used the card
| as a 2FA into the phone app. Was neat, other than Capital One
| was a whole shitshow on its own.
|
| I'm also very surprised at how much spam gets through services
| like Gmail and Twitter which could be easily detected by Naive
| Bayes filters. Something is very wrong.
| kesslern wrote:
| I can log into chase.com with my password in any case.
| Banking security is an absolute joke.
|
| The interesting part is that if I have to do a 2FA SMS
| challenge, I am required to re-enter my password. At this
| point the password checking becomes case sensitive.
| wlesieutre wrote:
| "In any case" meaning you can change capitalization and it
| still works?
|
| This doesn't work on my chase.com account.
| throwway120385 wrote:
| USAA actually does push passcodes using their app.
|
| The banks' understanding of security is so poor that they
| push people to use voice or fingerprint authentication. My
| wife constantly fights Wells Fargo about it every time she
| calls them because they want to helpfully sign her up for
| their voiceprint service so she doesn't have to use her PIN
| anymore. She used to work in a retail cellphone store so has
| heard tons of horror stories of people signing up for the
| same and then getting their voice deepfaked by a telemarketer
| to access their accounts.
| godelski wrote:
| LOL what a joke. Isn't there even a news story floating
| around about someone deep faking Biden's voice? I expect
| banking security to be better than what's in the public
| lexicon, not worse.
| jazzyjackson wrote:
| I migrated away from gmail primarily because they regularly
| filed important emails as spam
| instagib wrote:
| The SEC had a disclosure recently which had an effect on the
| bitcoin market. They turned off MFA and forgot to re-enable it
| supposedly as well as it was a sim swap attack.
|
| The OPM data breach was bad. So much data on there about the
| individuals and a few degrees of association away from them.
| Every security question and answer are there.
|
| I had 4 data breaches last year and one so far this year I just
| posted about today that I have no idea how they got my
| information (0). Mail was stolen by a petty theft and identity
| theft ring which called to try to get more out of me a couple
| years ago.
|
| Freezing your credit is the best course of action. I don't
| really worry about it much anymore.
|
| (0) https://news.ycombinator.com/item?id=39101272
| GuB-42 wrote:
| The problem is that as long as there are attackers willing to
| spend resources, there is no limit to spending money on
| security, it is adversarial. At some point, security will cost
| more than what you are securing, and that's when people drop
| the ball and prefer to deal with the consequences.
|
| Same ideas as with bicycles. Thieves now have sufficiently
| advanced tools that people stop buying the kind locks that
| could possibly stop them, and instead just assume that left
| unattended in the outside, their bike will be stolen
| eventually, and deal with it. For example by not having nice
| bikes, or by not biking unless there is a safe place for that
| bike.
|
| So yeah, leaks will happen. Unless maybe you get a combination
| of well designed and enforced security standards, harsh
| penalties for cybercrime, and international collaboration.
| 1970-01-01 wrote:
| Yes. Corporations really do just lose your info and move on as
| quietly as possible. You can try to not give real info to
| anyone that isn't the government.
| freitzkriesler2 wrote:
| I skimmed the article but it wasn't clear to me specifically what
| was leaked. Do they have clear text usernames and passwords? Are
| the PW hashed?
| huytersd wrote:
| So 3 records for each person on earth. Nice.
| SOVIETIC-BOSS88 wrote:
| Title says billions, not trillions.
| evan_ wrote:
| are you counting ants as people?
| fuzztester wrote:
| at the rate we are going, soon ants will be counting
| people.
| araes wrote:
| Super pedantic response, yet current estimate is 20
| quadrillion ants on Earth.
|
| https://www.science.org/content/article/how-many-ants-
| live-e...
|
| https://en.wikipedia.org/wiki/Orders_of_magnitude_(numbers)
| Humans: 8,000,000,000 Trees: 3,000,000,000,000
| Ants: 20,000,000,000,000,000
| 6510 wrote:
| I'm not saying aliens....
| __MatrixMan__ wrote:
| There are 8 billion people on earth, more or less.
| croes wrote:
| 8 billion people, 26 billion records.
|
| More than 3 per person.
| mtmail wrote:
| Casual reminder that in some languages the American English
| trillion (10^12) is called a billion. It confusing but might
| explain the mistake. https://en.wikipedia.org/wiki/Billion
| somedude895 wrote:
| That term is a bit clickbaity. Mother of all dumps would be more
| appropriate. This is all from old breaches.
| popcalc wrote:
| It's more than just a bit clickbaity. There are probably dozens
| of us on HN who've compiled our own combo DB. This is what
| dehashed, snusbase, and hibp all are.
| Lendal wrote:
| The funny thing to me about this title is who brought that term
| to English in the first place. It came into the vernacular back
| in 1991 when Saddam Hussein claimed the Kuwait War would become
| "the mother of all wars". It didn't. It lasted about 24 hours,
| but the phrase has lasted much longer. It's so weird how
| language evolves, who has the power to do it, and who doesn't.
|
| So for me, the title means that this breach is only of
| importance to the people who want it to be. Everyone else will
| simply ignore it after 24 hours, just like the first Kuwait
| War.
| modeless wrote:
| Google Ngram viewer does indicate a sharp rise in use of the
| phrase starting in 1990:
|
| https://books.google.com/ngrams/graph?content=the+mother+of+.
| ..
| dang wrote:
| Ok, I've taken a crack at making the title more accurate above.
| Thanks!
| __MatrixMan__ wrote:
| Until we stop implicitly trusting third parties with unencrypted
| data this will continue to feel like not even news.
| __MatrixMan__ wrote:
| Until we stop implicitly trusting third parties with unencrypted
| data this sort of thing will continue to feel like not even news.
| ars wrote:
| I'm unclear how encrypting the data would help. The same breach
| that gives access to the data, can also decrypt it.
|
| (Also you wrote the same message twice.)
| oconnore wrote:
| I think you misunderstand their suggestion. If you only gave
| service providers access to encrypted data (i.e. End-to-end
| encryption), then neither the service provider nor the leaker
| would be able to decrypt.
|
| Whether or not that is a generally viable or desirable
| suggestion is a different question, but it is possible as
| demonstrated by Signal, Apple, etc.
| ars wrote:
| There's only a limited number of things that can be done
| that way. Basically point-to-point messaging.
|
| Most things aren't going to work with that model. Can
| Amazon ship you products without knowing what you ordered?
| Can you send and receive email on multiple devices without
| the provider having your email? Can you join public chat
| groups? Can you view your lab results without the lab
| having them?
|
| And don't say "the lab can encrypt and send them to you".
| Your encryption key must be known to the lab, so they can
| provision a new device for you, in case you lose your
| phone.
|
| Even the vaunted "WhatsApp and Signal" could actually read
| all your messages if they wanted to - they have your
| encryption key after all, all they need to do is deploy a
| version of their application that copies your messages to
| them.
|
| So no, it's not actually possible.
| pachico wrote:
| What is the real impact on companies that suffer breaches like
| the ones in that list?
|
| Does it really hurt them? Does even the reputation produce any
| hit on them?
| stuff4ben wrote:
| Meh... keep your passwords in an offline password manager and
| generated for each site. Don't store payment info anywhere, but
| if you do, make sure it's a generated CC number. Never link your
| checking or savings account to anything. Sure you'll miss out on
| some convenience, but you'll have your money and sanity.
| SoftTalker wrote:
| Until your bank itself leaks the data....
| reidjs wrote:
| It's unethical, but technically any pressed key or input while
| on a website could be saved to the site's servers or any
| servers it ever interacts with, even if you don't save it. So,
| in addition to your guideline, try to limit the number of
| websites you input any PII into. IN ADDITION to that, you need
| to limit the number of people who will take your information in
| real life and input your information into a system, for
| example, at a grocery store, gym, bank, dentist, insurance
| form, or any other service like that.
|
| In a way, it's miraculous if one's identity HASN'T been used in
| nefarious ways without their knowledge, yet.
| barbazoo wrote:
| > Don't store payment info anywhere, but if you do, make sure
| it's a generated CC number.
|
| Cries in Canadian. As far as I am aware there is no way up here
| to have more than one virtual card. Please correct me if I'm
| wrong.
| derbOac wrote:
| Clearly better security is always better but sometimes I think
| there needs to be a different way of approaching identity
| validation etc.
|
| Like, maybe we need to assume everyone's records are leaked
| somewhere all the time?
|
| I'm not sure what that means in practice but I e.g., am not sure
| that "identity theft" should be a scary thing if the other side
| of the system is working optimally.
| mschuster91 wrote:
| > I'm not sure what that means in practice but I e.g., am not
| sure that "identity theft" should be a scary thing if the other
| side of the system is working optimally.
|
| For that, the US needs to follow what virtually all EU member
| states have done, and provide every citizen with a government-
| issued ID card with NFC that can be used to authenticate
| against a website (e.g. a bank), and browsers would need to
| agree on a web standard allowing interfacing with such cards
| (there is Web NFC but it's by far not enough).
|
| The problem is, this is politically untenable in the US for a
| bunch of reasons - the right wing complains about "big
| government" and fears a "nanny state" that tracks everyone and
| everything, and the left wing complains because ID cards cost
| money and would exclude people without proper documentation.
|
| Additionally, passports don't store your residential address
| and people don't necessarily want the government to know said
| address, which means they are useless to banks as a factor
| proving "person X lives at address Y".
| ineptech wrote:
| Question that sounds idiotic but is quite serious: how do I make
| it illegal to lend money to me without confirmation via Keybase?
| (edit: or some similar cryptographic identity proof)
|
| The only reason to keep my name/address/SSN secret is that
| companies will lend money to a person who has that info, and then
| try to make me liable for it regardless of whether that person
| was me. That's a problem, but the solution isn't for me to keep
| my identity secret, it's for companies to _stop doing that_.
|
| I should be able to march into some government office, prove my
| identity to their satisfaction, and give them a private key.
| Then, if Wells Fargo lends money to someone who can't prove
| ownership of that key, that's Wells Fargo's problem. Keybase does
| this fairly well, and is essentially abandonware since the
| founders were (if I remember right) acquihired by Signal. So, can
| we just nationalize it or build something similar, declare it to
| be SSNv2, and move on with our lives?
| bagels wrote:
| You contribute to campaigns of politicians (aka bribe) and
| write legislation for them to pass.
| ineptech wrote:
| I don't have enough time left on this Earth to explain the
| concept in a way that politicians could implement, I'm in my
| 40s. In my preferred alternate universe, Keybase was sold to
| a benevolent billionaire. Or more realistically, a normal
| billionaire who intended to run it at a loss until he could
| leverage it to effect world domination, but managed to mess
| it up somehow and get it nationalized. Or something. I can
| dream...
| bagels wrote:
| The lobbyists write the legislation and provide the talking
| points.
| jimt1234 wrote:
| Speaking of Keybase, is it still supported? I just launched
| mine after a multi-week hiatus, and I'm getting an error:
| "x509: certificate signed by unknown authority" Hmmm.
| ineptech wrote:
| I'm not sure? Mine still works but I've had to manually
| upgrade it a few times. For a scheme like this we'd probably
| need to reimplement it (just the public keyring and challenge
| proofs on social media platforms, not the crypto cruft).
| Helpfully I think the client is FOSS.
| duskwuff wrote:
| > Speaking of Keybase, is it still supported?
|
| For all intents and purposes, Keybase was abandoned the
| moment the team was acquired by Zoom.
| itrack wrote:
| Any magnet?
| mylastattempt wrote:
| If you've followed other large / individual leaks, all this
| data is already there. If you just want a download for
| convenience, go to the black forums. Or check haveibeenpwned if
| you're curious for your own company / identity.
| bagels wrote:
| Everyone is part of a leak already. It's hard to be bothered by
| these anymore.
| altacc wrote:
| My first thought was "Is this Troy Hunt's hard drive?" but I'm
| assuming that more bad actors collect security breach data than
| security researchers. With cyber crime & scams on the rise and
| earning billions, the value of all that mineable data for bad
| actors must be high.
| charcircuit wrote:
| How is this the mother of all beaches when it is the child of
| several smaller breaches?
| bdcravens wrote:
| Not really news. Most of the article says over and over that much
| of the data is from previous breaches, but some data may be new,
| without putting any numbers to it.
| surge wrote:
| All I see here is someone made a bigger list from multiple other
| lists from prior breaches. This isn't "the mother of all
| breaches", this is clickbait. Unless there is some new confirmed
| breach somewhere that in fact contains 26 billion records ex-
| filtrated, the only thing this is the mother of is a nothing
| burger.
___________________________________________________________________
(page generated 2024-01-23 23:00 UTC)