773M Password ‘Megabreach’ Is Years Old

Since a few weeks ago I receive spam emails threatening me with an old password I no longer use. I wonder if it&#x27;s related to this collection. It starts with:<p>&gt; <i>I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don&#x27;t know me and you&#x27;re most likely wondering why you are getting this e-mail?</i><p>He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM<p>I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!<p>It&#x27;s obviously a scam no one should respond to, but I&#x27;m sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I&#x27;m 100% sure this password is not used for anything important since about two years ago. I can&#x27;t imagine how someone with a current password and no security&#x2F;compsci knowledge at all would feel.<p>I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.

I can&#x27;t remember if it was haveibeenpwned.com or some other site, but I seem to recall once a few years ago checking my email on a site which also showed you the first two characters of the password which had been compromised. Maybe it has since been discontinued because of security concerns, but I found it really useful at the time because it let me know that the leaked password was an old one that I hadn&#x27;t used in years.<p>I know best practice is to immediately change your password regardless, but with the increasing frequency of these kinds of breaches and the reuse and recombination of old lists, how long will it be before emails from leak notification sites like haveibeenpwned start becoming so frequent that people start ignoring them? I am already more guilty of that than I&#x27;d like to admit, even though I should know better.<p>I know there are various places you can check a given password against known leak lists, but it makes me really uncomfortable typing my password into anyplace which is not a password manager or the site it&#x27;s used for - enough that I want to change it afterwards anyway.<p>I already hear the arguments that none of this matters if you follow best practices, which are not wrong, but I&#x27;ve always gone with the option which is as secure as possible without being overly burdensome, and I&#x27;m sure I&#x27;m not the only one.

I was terrified of my old email being compromised because somebody tried logging into it from Windows (I don&#x27;t use Windows) and because I had an identity theft scare a month back. What I&#x27;m doing going forward is having a personal email acct I don&#x27;t give out (with 2FA thru U2F), and creating burner GMail accounts that forward emails to that email using POP3. I&#x27;m already pwned because I use my personal email for a lot of things, but I like to think it keeps my attack surface minimal.

So the seller shows a screenshot with browser tabs, a date and a time. One of the tabs is really very specific, looking at a particular disqus profile.<p>I&#x27;m not familiar with Windows; is there anything in the screenshot to suggest its torbrowser or anything like that?<p>Presumably the miscreant&#x27;s ISP and e.g. the Russian government can guess real easy whom generated that screenshot...?<p>Of course what they&#x27;d do with that info is anyone&#x27;s guess. It could well not be an offence to sell collections of passwords, if in deed its even an offence to hack those passwords in the first place.

In the first image with the telegram id the other id is for discord. I don&#x27;t recall discord being e2e encrypted so that is an interesting choice to offer. Especially since discord is known to have access to all data since they regularly remove chats&#x2F;servers that don&#x27;t follow their tos.

This has been the event that has finally convinced my wife to use a password manager. I&#x27;m torn between bitwarden and 1Password though. Anyone care to weigh in on the options? My biggest concern with BitWarden is the lack of automated testing<p>edit - just fyi, Bitwarden responded on github last month with a plan to add some testing, and I <i>think</i> some of their code does use automated testing. They have issues on GitHub tracking it :)

All of the breaches are, especially these compilation ones. I switched email addresses back in 2016, and despite having accounts basically everywhere, my newer account has never showed up in a breach. Even the email address I used primarily for new accounts years before that hasn&#x27;t shown up in any. Only my original created-in-2006 Gmail account ends up in breach lists.

Anyone here recommend a good security key? Is YubiKey still the best option?<p>I noticed that they don&#x27;t have any usb-c + NFC options.

For Troy Hunt&#x27;s detailed breakdown of this particular breach: <a href="https:&#x2F;&#x2F;www.troyhunt.com&#x2F;the-773-million-record-collection-1-data-reach&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.troyhunt.com&#x2F;the-773-million-record-collection-1...</a>

Yeah, somebody signed into my Netflix account that I reactivated after years and years of inactivity. It was the only site that was using a really old password that&#x27;s in this breach.

Naive soul here, but is it really wise to type live passwords into someone&#x27;s site that ostensibly is looking for matches with its existing database? That seems awfully trusting.

Probably a good start to using 2FA and security keys.

I think they are also trying to use the same credentials to log in to accounts. I got an email from Epic Game saying there are too many failed login attempts, so it was suspended. Ironically, I don&#x27;t even remember having one. So I logged into the account and made sure there none of the information on there were personal.

That would explain why HIBP told me my account was in the breach, but I couldn&#x27;t find a specific password within his Password Checker--the breach is probably from before I switched to a password manager and rotated all of my passwords.

Thank goodness everyone changes their password regularly.

Re-released as a scare tactic to get people to buy 1password? (I hate to sound cynical, because really it&#x27;s a great way to get people to look into password managers if it was a marketing scheme)

My new years resolution is to change my passwords every year and not reuse any.<p>Along with the traditional diet and exercise spiel that lasts a month, only 12 days left on most of my new years resolutions!

Yeah I knew this when I got the haveibeenpwned email about it. Just brushed it off with a &quot;oh, that password is making the rounds again.&quot; The password in question was compromised something like 5+ years ago.<p>Having a 20 character password in a vault and 2FA is a great piece of mind now. I don&#x27;t even have to bother looking into it.