Troy Hunt

FEBRUARY 21, 2018

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. Here's what it's all about: There's Now 501,636,842 Pwned Passwords.

Passwords 279

Passwords Data breaches Mobile Risk 279

Troy Hunt

JULY 8, 2019

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. Shortly after that blog post I launched Pwned Passwords with 306M passwords from previous breach corpuses. 3,768,890 passwords. 3,768,890 passwords.

Passwords 240

Passwords Accountability Authentication Data breaches 240

Troy Hunt

NOVEMBER 14, 2018

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. This week, I wanted to focus on going beyond passwords and talk about 2FA.

Passwords 266

Passwords Authentication Accountability Mobile 266

Troy Hunt

APRIL 27, 2018

When I launched Pwned Passwords in August , I honestly didn't know how much it would be used. I made 320M SHA-1 password hashes downloadable and also stood up an API to query the data "as a service" by either a plain text password or a SHA-1 hash. Thanks @haveibeenpwned !

Passwords 209

Passwords 209

Troy Hunt

NOVEMBER 7, 2018

The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this: The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. link] — Troy Hunt (@troyhunt) November 6, 2018.

Passwords 244

Passwords Accountability Hacking Education 244

Krebs on Security

JANUARY 6, 2020

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. ” WHOLESALE PASSWORD THEFT. If we’d had more time to prepare, it would have gone better.

Passwords 253

Passwords Ransomware Password Management Malware 253

Krebs on Security

DECEMBER 19, 2024

But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018. That user, “ Exorn ,” has posts dating back to August 2018. THE TURKISH CONNECTION Silent Push notes that the website where Araneida is being sold — araneida[.]co

Hacking 230

Hacking Cybercrime Advertising Data breaches 230

Digital Shadows

MARCH 17, 2025

Key Findings Even years after their disclosure, VPN-related vulnerabilities like CVE-2018-13379 and CVE-2022-40684 remain essential tools for attackers, driving large-scale campaigns of credential theft and administrative control. CVE-2018-13379: The Eternal Exploit What is CVE-2018-13379?

VPN 133

VPN Authentication Ransomware Risk 133

Krebs on Security

FEBRUARY 19, 2020

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. 13, 2018 and Mar. 28, 2018, a claim Citrix initially denied but later acknowledged.

VPN 363

VPN Passwords Software Telecommunications 363

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

Cryptocurrency 362

Cryptocurrency Passwords Encryption Accountability 362

Troy Hunt

NOVEMBER 13, 2024

As I said, our IT department recently notified me that some of my data was leaked and a pre-emptive password reset was enforced as they didn't know what was leaked.    It would be good to see it as an informational notification in case there's an increase in attack attempts against my email address.

Data breaches 294

Data breaches Passwords B2B Technology 294

Approachable Cyber Threats

MARCH 1, 2022

Our 2022 update to our famous password table that’s been shared across the news, internet, social media, and organizations worldwide. Password Strength in 2022 It’s been two years since we first shared our (now famous) password table. Hackers solve this problem by cracking the passwords instead. Keep reading!

Passwords 145

Passwords Software Internet Internet 145

Krebs on Security

NOVEMBER 21, 2024

The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. Click to enlarge.

Identity Theft 251

Identity Theft Phishing Cryptocurrency Accountability 251

Troy Hunt

NOVEMBER 19, 2020

txt" had a small number of email address and password hex pairs. I mean can we trust that both the email addresses and passwords from these alleged breaches represent actual accounts on those services? txt" and true to its name, it appears from the forgotten password email that they were never even hashed in the first place.

Passwords 363

Passwords Password Management Accountability Risk 363

Troy Hunt

MARCH 29, 2018

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn't you know it - people are terrible at creating passwords! Everywhere.

Password Management 270

Password Management Passwords Data breaches Retail 270

The Hacker News

SEPTEMBER 9, 2021

Network security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor's scan.

VPN 141

VPN Passwords Accountability Network Security 141

Troy Hunt

FEBRUARY 27, 2018

When I launched Pwned Passwords V2 last week , I made it fast - real fast - and I want to talk briefly here about why that was important, how I did it and then how I've since shaved another 56% off the load time for requests that hit the origin. Why Speed Matters for Pwned Passwords. And a bunch of other cool perf stuff while I'm here.

Passwords 224

Passwords Internet Internet Architecture 224

Security Affairs

JUNE 20, 2021

Norway police secret service states said that China-linked APT31 group was behind the 2018 cyberattack on the government’s IT network. Norway’s Police Security Service (PST) said that the China-linked APT31 cyberespionage group was behind the attack that breached the government’s IT network in 2018. Pierluigi Paganini.

Government 142

Government Hacking Cyber Attacks Passwords 142

Troy Hunt

MARCH 9, 2023

that was out of a total of more than 166M requests in the same period: Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. It also means that the 48c per day cost is going to come way down 🙂 Every time the FBI feeds new passwords into the service , the impacted file is purged from cache.

Passwords 348

Passwords Accountability 348

Troy Hunt

JUNE 8, 2021

Ever notice how there was a massive gap of almost 9 months between announcing the intention to start open sourcing Have I Been Pwned (HIBP) in August last year and then finally a couple of weeks ago, actually taking the first step with Pwned Passwords ? I was pretty excited when I saw PRs coming in right after launching that last blog post.

Passwords 358

Passwords Accountability 358

Krebs on Security

FEBRUARY 4, 2025

Department of Justice said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. ” Image: Ke-la.com. 30, the U.S. Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address olivia.messla@outlook.de.

eCommerce 203

eCommerce Cybercrime Accountability Passwords 203

Schneier on Security

APRIL 2, 2020

account number and points balance, but not passwords) Additional Personal Details (e.g., This isn't nearly as bad as the 2014 Marriott breach -- made public in 2018 -- which was the work of the Chinese government. Marriott announced another data breach, this one affecting 5.2 linked airline loyalty programs and numbers).

Hacking 274

Hacking Accountability Data breaches Government 274

Krebs on Security

JULY 8, 2019

In the 15-month span of the GandCrab affiliate enterprise beginning in January 2018 , its curators shipped five major revisions to the code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware. The GandCrab identity on Exploit[.]in

Ransomware 277

Ransomware Accountability Cybercrime Passwords 277

Adam Levin

FEBRUARY 21, 2020

We are confident that no financial, payment card or password data was involved in this matter.”. Travel and hospitality industries have been a frequent target of hackers in recent years, perhaps most notably being the 2018 Marriott data breach that affected 300 million customers.

Data breaches 305

Data breaches Identity Theft Passwords Technology 305

CyberSecurity Insiders

OCTOBER 13, 2021

Problems arise for businesses when they base their access management programs entirely around passwords, however. Such programs overlook the burden that passwords can cause to users as well as to IT and security teams. Passwords: An unsustainable business cost. Users have too many passwords to remember on their own.

Passwords 141

Passwords Accountability Data breaches Authentication 141

Malwarebytes

SEPTEMBER 9, 2021

According to Fortinet the credentials were obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor’s scan. Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable. CVE-2018-13379.

VPN 132

VPN Passwords Ransomware Internet 132

Troy Hunt

JANUARY 16, 2019

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. There are 21,222,975 unique passwords. It'll be 99.x%

Data breaches 280

Data breaches Passwords Password Management Accountability 280

Krebs on Security

DECEMBER 16, 2021

Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin , a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts.

Cryptocurrency 363

Cryptocurrency Mobile Accountability Scams 363

Troy Hunt

SEPTEMBER 11, 2018

that no, you didn't just need a username and birth date to reset the account password. link] — Troy Hunt (@troyhunt) April 18, 2018. Third party password managers are precisely what we need to address the scourge of account takeover attacks driven by sloppy password management on behalf of individuals.

Media 266

Media Accountability Passwords Mobile 266

Krebs on Security

JULY 12, 2024

AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a data breach from 2018 involving approximately 7.6

Data breaches 348

Data breaches Passwords Authentication Accountability 348

Krebs on Security

JULY 13, 2020

Data Viper , a security startup that provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches, has itself been hacked and its user database posted online. Password re-use becomes orders of magnitude more dangerous when website developers engage in this unsafe practice. .”

Hacking 363

Hacking Marketing Cybercrime Accountability 363

Security Affairs

MARCH 20, 2025

DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched. The malspam messages had the topic Free primary legal aid use a password-protected attachment Algorithm of actions of members of the family of a missing serviceman LegalAid.rar.

Computers and Electronics 107

Computers and Electronics Telecommunications Malware Surveillance 107

Troy Hunt

JUNE 30, 2022

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature used by Mozilla, 1Password and a handful of other paying subscribers. is the middle one.

Passwords 322

Passwords Identity Theft Consumer Services Password Management 322

SecureList

MARCH 11, 2025

The link points to a legitimate file-sharing service where a password-protected archive awaits, the password for which is also in the video description. Attackers create fake accounts or use stolen ones, then upload videos advertising cheats, cracks, gaming bots and similar software.

Passwords 85

Passwords Malware Advertising Software 85

Troy Hunt

JUNE 25, 2018

thanks @troyhunt for the excellent @haveibeenpwned service that notifies users of #privacy disasters like this :) [link] pic.twitter.com/jlqnKXteDG — Yale Privacy Lab (@YalePrivacyLab) June 4, 2018. I at least know about it, thx to @haveibeenpwned — Tim Plas (@TJPlas) June 3, 2018. ticketfly a heads up would have been nice.

Passwords 276

Passwords Data breaches Password Management Accountability 276

Krebs on Security

JUNE 15, 2021

nl — circa October 2018. “On top of the password re-use, the data shows a great insight into her professional and personal Internet usage,” Holden wrote in a blog post on Witte’s arrest. ” According to the DOJ, Witte had access to Trickbot for roughly two years between 2018 and 2020.

Cybercrime 354

Cybercrime Ransomware Passwords Banking 354

Krebs on Security

AUGUST 12, 2020

As KrebsOnSecurity observed back in 2018 , many people — particularly older folks — proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. In 2018, the U.S.

Accountability 358

Accountability Mobile Banking Passwords 358