Deutsch
English
Usually, large (and illegal) email and password collections are an expensive commodity. Hackers, intelligence agencies and spammers tend to pay good money for extensive and detailed data sets on the dark web to support their activities. Recently, "Collection #1" was circulated and caught the eye of IT security expert Troy Hunt. It contained 773 million email addresses and 21 million passwords in clear text, much to the alarm of many users. One week later, it became apparent the data set was only the tip of the ice berg.
While originally assumed to be a rare find, "Collection #1" with its 87 GB and 12,000 individual files, was quickly overshadowed by "Collection #2" and "Collection #5", totaling 600 GB. The sets are still being analyzed but, so far, 2.2 billion email addresses and passwords have been identified, not all of them in readable clear text, though. It's likely the data was stolen from various companies and other facilities over an extended period of time. And since the lists are now easily accessible by anyone through common search engines, it's high time you changed your passwords.
The problem for many is they use the same combination of email address and password for multiple portals and services. Once hackers get hold of a collection, they tend to employ a strategy called "credential stuffing" that involves automated login requests directed against web applications. The more accounts are linked to a single email password pair, the higher the success rate (Amazon and eBay are common first strike targets). Social networks are also frequently targeted, so be wary should you suddenly spot ads on one of your friends' profiles - they might be affected. Check out the dedicated website of Hasso-Plattner-Institut to find out whether your email address is affected. The institute maintains a database of over 8 billion (!) user accounts that stem from data leaks and will send a detailed report to the email address specified.
What is still secure now that the passwords are known?
So far, one in two users has received bad news, meaning their personal data have been disclosed online. I myself have tried all email addresses I could remember. Result: Apart from an old address I haven't used in at least 8 years, none were affected. They've likely found an ancient data set that is irrelevant today - that does nothing for the uneasy feeling I still have, though. Admittedly, my pulse was slightly elevated when I received my reports from Hasso-Plattner-Institut.
For those who are affected: Make sure to switch your accounts to stronger passwords and feel free to check out my older blog article on how to come up with secure passwords, i.e. anything but "1234". Generally, I recommend you use a password manager in case you're a frequent visitor to online portals and stores. Password management software creates cryptic and secure passwords for the various sites you visit and keeps them in a secure vault accessible through a master password. This way, you'll have to remember a single password instead of many and the software will fill in password fields for you automatically as soon as you visit any of the the affected sites. Best of all: The program never forgets your passwords. You may also consider changing your passwords at regular intervals. Yes, that can be cumbersome, especially for multiple accounts, but you'll have to worry less about data leaks. If possible, you can also enable two-factor authentication, particularly for data or cost intensive transactions, and introduce a second entity, e.g. your cellphone or a dedicated security key, into the authentication process. Whichever approach you chose, may your data stay safe!
What I would like to know: Have you already visited the website of Hasso-Plattner-Institute (https://sec.hpi.de/ilc/search?lang=en)? Are you affected?
Hi
I tried the Hasso-Plattner Data base Test and the account I am using for your Ashampoo blog passed!
Thanks for the heads up on the site!
My Microsoft Hotmail.com account I opened 1993 was not so lucky. Pays to use one email account for important things, and one for general things...I have been getting junk at hotmail .com there for years . Microsoft has excellent Junk spam filters, so even now my account is usable and seems secure.
I use easy passwords to remember and just rely on Win Defender , no Anti Virus, use dubious websites (Pirate bay etc) all the time, but cant remember my last virus infection Maybe 1993?
Clicking on emails activates them . Also helps to have an administrator account on your personal computer, so that when I use my BK everyday logins, and click on lets say one of your email attachments even accidentally , the code would not run! You or even I could not install anything on my computer. I would have to log out and relog in as admin. Hopefully by then I would realize somethings off.
Regards BK
Thank you for the article, Sven.
I never use online password managers because they are online, and only ONE password is needed to unlock many. Two-factor authorisation may be okay now, but I expect that to be compromised at some point in the future.
Password managers rely on you NOT remembering your password for their business, so they provide a way for you to never need to remember them. It's like phone numbers; before mobiles, we had to remember them, but now they are stored on the phone's database for us, and we don't need to know them.
The more you type in your password, the more likely you are to remember it.
If you forget a password, most websites offer a password reset link. Not only do you get to regain access to you account, you can change the password at the same time.
Forgetting passwords may be somewhat inconvenient, but another one is just a click and e-mail away. Besides, any essential account passwords could be stored in a local password vault. Even writing passwords down is okay if you don't write down what it's a password for.
Thanks Sven, fascinating Article!
Did not know about the Hasso-Plattner-Institute but its now bookmarked and I've visited it. I did know about haveibeenpwnd.
I endorse your comments about a password manager completely AND the use of 2-factor authentication. Been using one for about 6 years because I couldn't cope without it.
I use password safe (https://pwsafe.org/) because at the time it was one of the few (free) options available on all 4 platforms - Windoz, Linux, iOS and Android and I keep the database in the cloud on dropbox - so I can access the database from any device anywhere anytime and if I make changes, only one place gets updated. And I back up those files to another cloud store as well. I guess you'd put me in the paranoid club.
Changing habits is always difficult. I guess with the things I used to do and systems I had to use and access, I got paranoid and decided to drop the typical casual "she'll be right" approach, because in the corporate world that would have got you fired, so if I had to change for work, why not do the same thing in my personal life. However, once I made the change - and got used to it - I couldn't live without it today.
I am staggered at the laissez fair approach of so many people who dont grasp the issue even when its explained. I go one step further. I NEVER let the browser store account login credentials. While its a remote possibility, if someone got on to my device (in person or a hack) when I'm logged in, then its wide open.
I've also discovered something else recently in a conversation with a group discussing different age group behaviour patterns. The laissez fair / what ? / nah not going to happen ? attitude is increasingly found in the Gen Y and Gen Z groups. Surprisingly, the older age group (mine) is apparently well aware of the dangers but falls more in the category of "its too difficult (to change my behaviour)" because they are not so capable with apps and software.
A very real problem with many people being complacent with their security. The two-factor authentication works well. Can be a pain but if you value your security, worth while doing. It is a fact of life and this will only become more prevalent as we move more towards digital systems. Unfortunately, there are many that do not realize the impact(s) of cyber crime.
Big red lines on one of my most used accounts (Collection #2" and "Collection #5) grrr
Thanks again Sven
Hope your weekend is warmer than our -37c
Light rain showers and a moderate breeze, 4 degrees Celsius :)
Yes, 4 out of 8 hits @ Plattner.
Already using a pw-manager for a couple of years but still it gives me the ‘hibby-jibbies’ to know that my records are listed somewhere. Too bad people make money with something like this illegal activity!!!
Yessir, two out of six affected. Both older ones, my very first private email account the worst and most recently on Jan. 2019 as it seems (non-verified leak). My second one back in June 2012. Should I be worried? Not too much I guess. As you said, keeping passwords up to date and where it counts, I am using the two-factor authentication.
Thanks for this most informative article, along with the included link. While I have used a powerful password manager for several years, which changed all my passwords, and does so on a fairly regular basis, I still found I had been "leaked" once over 6 years ago, including an old password. Fortunately that had been changed some time ago, and as a precaution I changed it again, along with two factor verification. Everyone needs to check out the link you provided!!
Sadly Sven my name & IP address appears on at least one leaked list going by the received report....details & time frames are not given...I recently changed my password after checking on “Have I been pwned”... I think I have spelt that correctly??....I have been using only one account for years...but this has got me very worried...last thing I needed post heart bypass...Have I done enough by changing my password??...Sorry for labouring you Dear Friend....being disabled I need to shop online usually via eBay But this is making me VERY wary....Thanks In Advance & Take Care
It's perfectly adequate to change your password, don't worry. Get well soon!
Thank you for this most relevant article. As a consequence, I have now checked in with the Hasso-Plattner- Institute and with relief obtained an all clear.
I do try to introduce variations within my password repertoire but all along a similar theme. On my PC, Google remembers all for me but I struggle at times when out and about having resisted installing any accounts whatsoever on my phone. It is, I guess, about time I introduced a Password Manager into my life which I also include on my phone.