Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Massive theft of passwords globally, Is it true?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Massive theft of passwords globally, Is it true?

I got this email from GINERNET:

 Dear rami adel (online)

Unfortunately we are increasingly regularly with news that tell us about massive theft of passwords globally.

The latest this week, it is a publication of a 40GB file that includes 1400 million passwords and can be downloaded by any user through the torrent network.

You can learn more: https://www.adslzone.net/2017/12/12/1-400-millones-contrasenas-deep-web/

Want to know if your data are public Internet access? You can check it out here: https://haveibeenpwned.com/

Regarding this situation we want to remind you that in GINERNET we offer a system of two-step authentication, so that in order to access your client area necessary that you login with your password and additionally introducing a random code that you receive your mobile.

Remember that if an attacker had been done in control of your client area, could steal from contracted services as domains even in the worst case, permanently remove services. We would have to restore a backup to restore you lose service and information from the date of backup when hacking, adding to this issue downtime for the loss of service.

Therefore, we recommend that you enable authentication in two steps from this link, it is very simple: https://cli.ginernet.com/clientarea.php?action=security 

Is this true?

«1

Comments

  • Yes, the file has been out for a while but it's just a collection of breaches over the years organised into one file.

    Thanked by 2WSS Rami
  • Hm, surprised KrebsOnSecurity hasn't mentioned it. I skimmed through December - now on his page and didn't find anything.

  • fxffxf Member
    edited December 2017

    None of the 1400 million passwords are new. Someone simply collected old breaches and made the user/pass info easy to search. It was originally posted here on r/pwned (actually links to archive.fo's copy of the page, since reddit has removed the self text of the post).

  • It happens. Hell, I'm even on there thanks to LinkedIn. I haven't had an active account there for probably about a decade, but my address is forever besmirched.

  • I just saw big names in the list, that's why I wasn't so sure it is true

  • This is also a fantastic example of "don't use the same password for everything on every site or VPS or computer or anything".

    Thanked by 3WSS Rami jar
  • @Damian said:
    This is also a fantastic example of "don't use the same password for everything on every site or VPS or computer or anything".

    I always tell people so but no one Listen :D

  • KuJoeKuJoe Member, Host Rep

    Passwords are horrible, don't rely on passwords for security.

  • @Rami

    Did you hear of masterdeeds...?

  • @KuJoe said:
    Passwords are horrible, don't rely on passwords for security.

    OK, Alex.

  • @mikewazar said:
    @Rami

    Did you hear of masterdeeds...?

    No

  • KuJoeKuJoe Member, Host Rep

    @WSS said:

    @KuJoe said:
    Passwords are horrible, don't rely on passwords for security.

    OK, Alex.

    Who's that?

  • @KuJoe said:

    @WSS said:

    @KuJoe said:
    Passwords are horrible, don't rely on passwords for security.

    OK, Alex.

    Who's that?

    Either Trebeck, or Jones. Take your pick. (2FA4LYF)

  • jarjar Patron Provider, Top Host, Veteran
    edited December 2017

    If you really want to keep up with this stuff: https:// raid forums .com/Forum-Databases (it's worth paying)

    I generally have so many of these databases it's rather obscene. I just recently wiped the slate though as I haven't seen any new significant data for a bit, mostly just repackaged combinations of stuff we've been dealing with for over a year.

    The reality is this: you were compromised somewhere long ago and with so many other people that your credentials may still have not yet been used. Don't believe for a second that you're safe because a year or more has passed.

    That link can help you if you really want to find out what is out there about you. You won't get the level of detail and context from anything but the raw data.

  • JanevskiJanevski Member
    edited December 2017

    I think i've said it before, it's a great idea to open a site such as HaveIBeenPwned and collect emails from random people. You don't have to have any breach databases, just make a function that on some mails always is going to say pwned. Something like, filter input, all letters to lowercase, letter to number, add all, modus by potato, if greater than number show as pwned, else not.

    Then, all of the collected mails are going to be informed about The Truth.

    Thanked by 1AuroraZ
  • @Jarland, are you a moderator on HF too, btw? :p

  • jarjar Patron Provider, Top Host, Veteran

    @Yura said:
    @Jarland, are you a moderator on HF too, btw? :p

    No but I am two members. Keep your enemies closer ;)

  • @jarland said:

    @Yura said:
    @Jarland, are you a moderator on HF too, btw? :p

    No but I am two members.

    Sounds HOT.

    Thanked by 2jar Yura
  • @jarland said:

    @Yura said:
    @Jarland, are you a moderator on HF too, btw? :p

    No but I am two members. Keep your enemies closer ;)

    Bi-member.

    Thanked by 1jar
  • WSSWSS Member
    edited December 2017

    @Yura said:

    @jarland said:

    @Yura said:
    @Jarland, are you a moderator on HF too, btw? :p

    No but I am two members. Keep your enemies closer ;)

    Bi-member.

    Knowing @jarland's ego, he registered twice just to see GOD beside his name a second time. *

    * This is intended to tease Jar-Jar based around all of the LET derails calling him a megalomaniac.

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    For that, @WSS, your punishment is to get down on the floor and tell me 250 times that everyone loves me.

    Thanked by 1WSS
  • @jarland said:
    For that, @WSS, your punishment is to get down on the floor and tell me 250 times that everyone loves me.

    AGAIN, MASTAH???

    Thanked by 1jar
  • @jarland said:
    For that, @WSS, your punishment is to get down on the floor and tell me 250 times that everyone loves me.

    What if I just photoshop one Taylor Swift CD to have your name on it, instead?

    Thanked by 1jar
  • jarjar Patron Provider, Top Host, Veteran

    @WSS said:

    @jarland said:
    For that, @WSS, your punishment is to get down on the floor and tell me 250 times that everyone loves me.

    What if I just photoshop one Taylor Swift CD to have your name on it, instead?

    Deal.

  • Thanked by 1jar
  • jarland said: No but I am two members. Keep your enemies closer ;)

    Pretty confident I'm accurate in stating that any competent host or provider has a mole in HF one way or another.

    As the Sun Tzu wrote: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

    Thanked by 1jar
  • @jarland said:
    The reality is this: you were compromised somewhere long ago and with so many other people that your credentials may still have not yet been used. Don't believe for a second that you're safe because a year or more has passed.

    “On a long enough time line, the survival rate for everyone drops to zero.” -- Chuck Palahniuk, Fight Club

    Something I've started doing is using email aliases as burner addresses and subaddressing. (Thanks MXRoute!)

    A feature where a person could quickly setup a burner alias, and then get notified privately when it shows up on a password list would be interesting. You could put those databases to use. ;)

    Thanked by 1jar
  • CrossBoxCrossBox Member, Patron Provider
    edited December 2017

    Theft of passwords is not something generic. Generally, it all depends on whether developers of the software know what they are doing. For example, by not salting your passwords before saving them to database is a common rookie mistake.

    Also, 2FA (two factor authentication) technology helps prevent account breaches even if the hacker knows the correct password. This is because you also need a time based token to make a successful login (which is generated by for example Google Authenticator which you install on your smartphone). This means that the hacker will need a physical possession of your smartphone to make any real damage.

Sign In or Register to comment.