Security researcher Troy Hunt has added more than 80 million records from nearly 3,000 new data breaches to Have I Been Pwned. That is so many records that it is currently ranked as the 15th biggest data breach on Have I Been Pwned. Each record contained an email address and plaintext password, but the entire list was unfortunately loaded under a single “unverified” data breach.
Are these records actually new breaches? This is where it gets a bit tricky.
Hunt started searching for the massive trove of login credentials recently found by Hacked-DB. The breach notification company told HackRead that it “discovered 3,000 databases containing 200 million unique user accounts including containing email addresses, potential personally identifiable information, potential financial accounts, unique IP addresses, unique account identifiers and other highly sensitive information linked to organizations and individuals all around the world.”
Hunt found 8.8GB of data breaches in single ZIP file with 2,889 text files in the archive. After finding the leaked list of pwned databases, Hunt explained that he tried to find out how many were new. They were omitted if they came from any existing breach already listed in HIBP.
I then grabbed a unique set of addresses from the remaining data and tested a random 10k of them against HIBP. Only 70% of them were already in the system which indicates a lot of new data; 30% of the addresses I’d never seen before. Of course, of the ones I had seen before there’d still be many addresses in data breaches that weren’t in HIBP and the addresses had simply been pwned more than once, but the checks against the system also gave me an opportunity to do a bit more source cleanup.
After another round of cleanup, Hunt said, “I distilled the data down to 2,844 files which contained a total of 80,115,532 unique email addresses.”
This was now data I was comfortable loading because we’re talking tens of millions of people in (alleged) breaches I’ve never seen before. But I’m also conscious that I can’t clearly say “this is the breach you were in” as there’s no direct association between the accounts in HIBP and the source file. However, I can list those source files in the hope that it’ll help people who might recognize a service they’ve used in the past.
Hunt included the complete list before adding a disclaimer:
It should be abundantly clear from this post, but let me explicitly state it anyway: I have no idea how many of these are legitimate, how many are partially correct and how many are outright fabricated. I’ve consequently flagged this “breach” in HIBP as unverified.
Some people are getting HIBP notifications letting them know their email and password combination is floating around in the cyber ether. Unfortunately, the notification in this case doesn’t directly tie to a specific site or service from where the credentials came.
In the comments, “John Doe” noted the list of 2,844 URLs contain “entries of lists” which were publish in December 2017.
The news of this breach may not be overly helpful to you, unless you reuse passwords. If that is you, then you might want to search if your passwords are listed in Pwned Passwords.
Pwned Passwords v2
Hunt announced a new version of Pwned Passwords last week, updating it to contain over 500 million passwords – 501,636,842 pwned passwords to be specific; users can search to see if their passwords have been in previously exposed databases. The portion under “Cloudflare, privacy and k-Anonymity” delves into how anonymity is maintained when checking for pwned passwords.
Since developers can also connect to Pwned Passwords via the API, it took a mere day before 1Password integrated the tool.
Find pwned passwords via 1Password
When AgileBits announced the new feature, the company reiterated that it never would have added the ability to check if your password was leaked it unless it was private and secure. The passwords are “never sent to us or his service.”
Users with a 1Password membership can sign into their account, click a listing in Open Vault, “enter the magic keyboard sequence Shift-Control-Option-C (or Shift+Ctrl+Alt+C on Windows) to unlock the proof of concept,” and then “click the Check Password button that appears next to your password.”
As for how it works, AgileBits wrote:
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.
To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.
At some point in the future, AgileBits intends to add the ability to check for pwned passwords to 1Password Watchtower, “so you can see your pwned passwords right in the 1Password app you use every day.”