Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials (wired.com)
- Reference: 0177837417
- News link: https://yro.slashdot.org/story/25/05/28/2024243/mysterious-database-of-184-million-records-exposes-vast-array-of-login-credentials
- Source link: https://www.wired.com/story/mysterious-database-logins-governments-social-media/
The records included plaintext passwords and usernames for accounts spanning Netflix, PayPal, Discord, and other major platforms. A sample analysis revealed 220 email addresses with government domains from countries including the United States, China, and Israel. Fowler told Wired he suspects the data was compiled by cybercriminals using infostealer malware. World Host Group, which hosted the database, shut down access after Fowler's report and described it as content uploaded by a "fraudulent user." The company said it would cooperate with law enforcement authorities.
[1] https://www.wired.com/story/mysterious-database-logins-governments-social-media/
haveibeenpwned (Score:4, Interesting)
Has this been incorporated into haveibeenpwned yet? (Note: that service requires you to submit a password, but it never leaves your browser. The sensitive part of the logic is run only in your javascript, and you can skip it entirely using curl and the shell.)
Re: (Score:3)
Also, Google Password Manager will scan the web for compromised passwords in your saved passwords. Since 99% of people already have a Google account, there's no new password to worry about, to use this service.
I don't know if they've picked up this data set yet.
Re:haveibeenpwned (Score:4, Informative)
Note: this ridiculous service syncs your passwords in cleartext to your account even when you haven't explicitly set it up. You think you're just caching a password in your browser, but Google thinks it deserves no more protection than your inbox. Available to anybody that gains access to your account. It's a nice single point of failure.
I just confirmed that though I try to keep Google from ever finding out any of my other passwords, it knows around ten of them (and is happy to display them with a few button presses). I'm not sure how it found out, though it seems to be scraping password vaults in Google drive in addition to syncing things that were typed in Chrome and Android. This WILL get people's bank accounts hacked.
Re: haveibeenpwned (Score:2)
If google knows the passwords, they are already public knowledge. If you continue to use them, then thats on you
Re: (Score:2)
That is untrue.
First, you have to have Chrome signed into your Google account. Second, the passwords are encrypted, not plaintext. They key is by default managed for you, but you are free to set your own password which generates a new key as well. If you do that, you can no longer view your saved passwords on the Gooogle Account Manager website, only in browsers where you have entered your password.
Obviously if someone gets into your Google account and you didn't bother to secure it, you are in trouble. Whi
As an ethical security researcher, (Score:2, Redundant)
"As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification and documentation purposes." Great. As an ethical security researcher, he should have downloaded it and uploaded it to "Have I been pawned"
The Counter Offer. (Score:4, Insightful)
> As an ethical security researcher, he should have downloaded it and uploaded it to "Have I been pawned "
(Rick Harrison, Ethical Pawner) ”184 million records? Best I can do is ten bucks and this autographed photo of Chumlee..C’mon, I’m taking all the risk here.”
DOGE (Score:1)
Probably the work of the fine folks over at DOGE.
It's hacked turtles all the way down (Score:2)
I bet one hacker group held another hacker group ransom, but they didn't pay up, so public went their stuff.
Re: It's hacked turtles all the way down (Score:2)
Information wants to be free.