70 Million (7 Crore) account credentials leaked in massive password dump

rootyme · Jan 20, 2024

Bad news for all. Reminder that everybody needs to use dedicated password managers these days. This dump is now infamously known as "the Naz.api stuffing list."

Deep dive: https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
YCombinator Discussion: https://news.ycombinator.com/item?id=39028122
Enter your E-Mail ID here to check if you're part of the leak: https://haveibeenpwned.com/

Are you a Hathway consumer? There is yet-another-bad-news for you. In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website.

Relevant Reading: https://restoreprivacy.com/hacker-allegedly-holds-data-of-41-million-hathway-customers/
Enter your E-Mail ID here to check if you're part of the leak: https://haveibeenpwned.com/

kartikoli · Jan 20, 2024

If I am not mistaken wasn't a popular password manager was hacked few months back? I don't remember the exact name but it wasn't 1pass that my company uses (thats how I remember). Secondly how trustworthy are these checking websites if unknowingly we are providing more information to them by checking our emails

rootyme · Jan 20, 2024

kartikoli said:
Secondly how trustworthy are these checking websites if unknowingly we are providing more information to them by checking our emails

Tony Hunt is the guy behind that site. He is from Microsoft. Microsoft already has your mail ID. It's a reputed site running for around a decade now.

kartikoli said:
If I am not mistaken wasn't a popular password manager was hacked few months back?

It was lastpass.

Rednekol · Jan 20, 2024

Self hosting a password manager (like VaultWarden) is also a very viable method, if you don't wanna trust other corporations with your data

Ramadhir Singh · Jan 23, 2024

rootyme said:
Reminder that everybody needs to use dedicated password managers these days

why anyone needs a pw manager ?
sorry it could be just me, but i fail to understand the need of a pw manager. where its can be just a simple logical pattern.
my shortest length of password would be 15char, unique for each site. no repetition in any site and non of them contains dictionary words.

based on my pattern, i make my password and check strength here https://www.security.org/how-secure-is-my-password/, my weakest password would need minimum "1 billion years' to crack according to this calculation.

Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

so please remind me again why everyone in this earth need password manager ?

--- About data breach --
nothing beats cowIN & adhar data breach.
Adhar data breach is like software upgrade cycle - https://www.thehindu.com/sci-tech/t...ns-got-breached-explained/article67505760.ece.
our Govt & Infosys might fire people if they don't do atlest twice a year.

rootyme · Jan 23, 2024

Ramadhir Singh said:
Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

You're not the only one doing that. I used to the same as well.

Ramadhir Singh said:
so please remind me again why everyone in this earth need password manager ?

Convenience and random 100+ character long passwords without any pattern that nobody can track or crack.

Your smart pattern still leaves you vulnerable in case somebody gets hold of it.

n1r0 · Jan 23, 2024

Another advantage is if you have an autofill plugin in your browser, it's very easy to detect fake phishing sites. The plugin will autofill only on the real domain. There was this fake steam site that even I couldn't tell was fake, but when the autofill wouldn't work, I got wise.

rootyme · Jan 23, 2024

n1r0 said:
There was this fake steam site that even I couldn't tell was fake

Can you share the link?

n1r0 · Jan 23, 2024

rootyme said:
Can you share the link?

For obvious reasons I will not be sharing scam links, if you're so inclined google will help you find them.
Here's an example screenshot though:

t3chg33k · Jan 23, 2024

Ramadhir Singh said:
why anyone needs a pw manager ?
sorry it could be just me, but i fail to understand the need of a pw manager. where its can be just a simple logical pattern.
my shortest length of password would be 15char, unique for each site. no repetition in any site and non of them contains dictionary words.

based on my pattern, i make my password and check strength here https://www.security.org/how-secure-is-my-password/, my weakest password would need minimum "1 billion years' to crack according to this calculation.

Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

so please remind me again why everyone in this earth need password manager ?

--- About data breach --
nothing beats cowIN & adhar data breach.
Adhar data breach is like software upgrade cycle - https://www.thehindu.com/sci-tech/t...ns-got-breached-explained/article67505760.ece.
our Govt & Infosys might fire people if they don't do atlest twice a year.

How many of your unique passwords would you remember all the time? I have nearly 500 unique entries in my password manager as of now and there is no way I was going to remember them unless I created a pattern.

The moment you start repeating, a single leak opens up a portal to multiple sites. If uniqueness is based only on symbols or characters, that is easy to cycle through.

As someone else mentioned, cross-platform auto-fill with site verification is a positive as is leak detection. Also, easy login makes it easier to not have cookies stored for most sites, reducing tracking.

May be passkeys will be the bigger step forward for most users.

Darth Vader · Jan 23, 2024

Set Password/MFA -> forget password -> reset password at every login = Winning at life ?

rootyme · Jan 23, 2024

Darth Vader said:
Set Password/MFA -> forget password -> reset password at every login = Winning at life ?

This.

Step 0 - Become Ghajini

Step 1 - Launch notepad.

Step 2 - Close your eyes.

Step 3 - Run your finger throughout the keyboard as your heart pleases

Step 4 - Type the name of your paramour/spouse and her date of birth at the end

Step 5 - Copy

Step 6 - Paste in new/confirm new password

Step 7 - Save the notepad as ghajini-dump.txt

Step 8 - Repeat.

Step 9 - Remove the previous entry from ghajini_dump.txt

Step 10 - Repeat

Congrats, you're now immortal.

ibose · Jan 23, 2024

rootyme said:
Step 1 - Launch notepad.

rootyme said:
Step 7 - Save the notepad as ghajini-dump.txt

Now everybody knows.

napstersquest · Jan 24, 2024

rootyme said:
Step 7 - Save the notepad as ghajini-dump.txt

altair21 · Jan 24, 2024

what are yall's recommendations for password managers? I am pretty iffy after lastpass breach and self hosting is too expensive, I have just enabled mfa and have linked it to a Gmail id which in turn needs 2fa to be accessible and the password for that is around 15-20 characters even if they are duct words combined.
any advice for this approach?

n1r0 · Jan 24, 2024

1. If you're using Gmail or have an Android, you should be using Chrome's auto fill to save your passwords. The advantage of this is:

your passwords are sync'd across your devices, including Chrome on PC
GBoard on Android will let you auto fill the credentials on any app
added bonus is whenever a new sign in is detected on your account, your device will show you a notification

You end up using longer, random, patternless passwords for everything. And if there's ever a Gmail leak, you're gonna lose all your other accounts linked to it anyway.

--------------------------

2. Another non-Google option is using something like KeePass.

On PC you use an app + browser plugin
On Android you use a dedicated keyboard app which can auto type credentials directly to any app
You can customize the character set and length for password auto generation. Some sites don't allow certain symbols, so easy to remove them from the set
You can save other relevant data/notes apart from username & password

The issue here is the encrypted database file needs to be sync'd between PC & phone manually. You could put it on your GDrive, or set up an FTP on your home network to have auto sync. The obvious advantage is you are in full control of your database + decrytion key, so leaks are less likely/targeted than cloud based services.

Salman Ahmad Khan · Feb 10, 2024

altair21 said:
what are yall's recommendations for password managers? I am pretty iffy after lastpass breach and self hosting is too expensive, I have just enabled mfa and have linked it to a Gmail id which in turn needs 2fa to be accessible and the password for that is around 15-20 characters even if they are duct words combined.
any advice for this approach?

I use Bitwarden. It's extremely simple and the extension is non-intrusive. In terms of security, it's open source and well audited.

Tbh, as long as you don't re-use passwords, you should be good with MFA. But a good password manager never hurts.

ruseffraiun · Feb 10, 2024

Thanks for sharing this https://haveibeenpwned.com/ website. I found out one of my accounts was leaked in Dubsmash leak which happened in 2018. Thank goodness I have been using Bitwarden for a long time and changed all of my passwords.

Btw, I highly recommend Bitwarden as PW manager, it's open source and comes with a lot of useful features.

DewlanceWebHosting · Feb 12, 2024

I think the Firefox built-in password manager is safe because it encrypts your passwords.

You can create a new 20MB partition and encrypt it. Then, store it in encrypted disk and use copy/paste for each website.

70 Million (7 Crore) account credentials leaked in massive password dump

Do you use a dedicated password manager?

Yes

No

rootyme

kartikoli

rootyme

Rednekol

Ramadhir Singh

Wasseypur

rootyme

n1r0

rootyme

n1r0

t3chg33k

Darth Vader

rootyme

ibose

napstersquest

Thread Police

altair21

n1r0

Salman Ahmad Khan

ruseffraiun

DewlanceWebHosting