Have I Been Pwned Adds New Data Set of 361 Million Email Addresses

Have I Been Pwned Adds New Data Set of 361 Million Email Addresses

Troy Hunt’s Have I Been Pwned website has been updated with a 122-gigabyte list pulled from “thousands of Telegram channels.”

Australian security researcher Troy Hunt has added a vast new data set to his database of compromised email addresses, Have I Been Pwned.

Another security researcher sent the 122-gigabyte data set to Hunt last week. The data was pulled from thousands of Telegram channels and includes a large number of email addresses not previously seen in data breaches.

“I uploaded it to Have I Been Pwned (HIBP) today because there are a large number of never-before-seen email addresses and based on all the checks I’ve done, they’re legitimate data,” Hunt said in a blog post on September 4. June. .

The data comprises 1,700 files, 2 billion lines, and 361 unique email addresses (including this author’s), and in many cases, along with the passwords and websites they belong to.

The way that data was collected illustrates how the hacking community regularly exchanges the personal data of millions of people, particularly on Telegram. The social media platform is popular for its privacy and security, which also allows anonymous posting of data such as stolen credentials; That’s why it’s so popular as a platform for hackers, particularly politically motivated hacker collectives.

This data is published in “merge lists,” data sets that combine email addresses with passwords.

“The combination of these is obviously what is used to authenticate to various services, and we often see attackers use them to mount ‘credential stuffing’ attacks where they use the lists to attempt to access accounts en masse,” Hunt said.

The data Hunt recently uploaded was pulled from 518 discrete Telegram channels, with a total of 1,748 files. Hunt tested a sample of these emails by entering them into the services they were associated with, which then typically returned a prompt to enter a password or a message saying that an account already exists with that email; Either way, it confirms the validity of the data. .

“I’m not going to try the password because that would constitute unauthorized access,” Hunt said. But that’s not the goal, Hunt said, but it does show that the data is real.

Hunt, however, used his subscriber database to contact registered users of his site, and many were more than happy to confirm that the email and password combinations were completely legitimate. Many of these users had their credentials compromised in multiple combined listings and previous data breaches, but Hunt wanted to understand where the new, unique credentials, some of which appeared more than 100 times for a wide range of websites, might have come from.

Working with his subscribers, Hunt concluded that data-stealing malware was likely to blame, particularly with one subscriber who was a customer of German telecommunications company Deutsche Telekom and who had been informed by the telecommunications company that his account had been compromised, along with with passwords provided by Telekom and stored in Firefox by the customer.

“The stealing malware explains both the Telekom password and why the Firefox passwords were obtained; There’s nothing necessarily wrong with either service, but if a machine is infected with software that can grab passwords directly from the fields they’re entered in the browser, it’s game over,” Hunt said.

Hunt concluded with the advice he always gives in these cases, which is that most people use very poor passwords or do not pay enough attention to keeping their software and devices up to date.

“So if you’re here, what are you doing?” Hunt said.

“It’s a repeat of the same old advice we’ve been giving in this industry for decades, that is, keep devices patched and updated, run appropriate security software for your device (I use Microsoft Defender on my PCs), use strong passwords, and unique. (get a password manager!) and enable 2FA whenever possible.”

That’s advice worth following.

Leave a Reply

Your email address will not be published. Required fields are marked *