Who Breaches the Breachers? - 15+ billion usernames and passwords from 8,000+ websites leaked

[rcmaehl]

Summary:

Data Indexer, Data Viper, known for it's gray hat collection, buying, and selling of database breaches has itself been breached leaking over 15 billion usernames and passwords.

 

Media:

 

Quotes

Quote

Data Viper, a security startup that provides access to some 15 billion usernames, passwords and other information exposed in more than 8,000 website breaches, has itself been hacked. The hackers also claim they are selling on roughly 2 billion records, including data from several companies that likely either do not know they have been hacked or have not yet publicly disclosed. Data Viper offers a cautionary and twisted tale of what can happen when security researchers  get too close to their prey or lose sight of their purported mission. Data Viper has billed itself as a “threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market.” Many private companies sell access to such information to vetted clients — mainly law enforcement officials and anti-fraud experts. Data Viper has sought to differentiate itself by advertising “access to private and undisclosed breach data.” Troia has acknowledged posing as a buyer or seller on various dark web forums as a way to acquire old and newly-hacked databases from other forum members. But this approach may have backfired over the weekend, when someone posted to the deep web a link to an “e-zine” (electronic magazine) describing the Data Viper hack and linking to the Data Viper user base. The anonymous poster alleged he’d been inside Data Viper for months and had exfiltrated hundreds of gigabytes of breached data from the service without notice. The intruder also linked to several dozen new sales threads on the dark web. Some of the databases for sale tie back to known, publicly reported breaches. But others correspond to companies that do not appear to have disclosed a security incident.

 

My thoughts:

Data Viper has been on the less ethical side for a while, not really surprised this happened. I wonder if this is related to a specific incident from today though. Anyway, for those who want a more ethical site for data breach notifications check out https://haveibeenpwned.com/ which will likely have a copy of all these new breaches shortly!

 

Sources:

KerbsOnSecurity (Quote Source)

ZDNet

[SabianSVK]

So, are the https://haveibeenpwned.com/ databases already updated, or?

[BobVonBob]

7 minutes ago, SabianSVK said:

So, are the https://haveibeenpwned.com/ databases already updated, or?

Nope, but you can watch their recently added breaches section to see when they are.

[SabianSVK]

Thanks mate. I will check in couple of days and run my family emails thru it ...

PS: Wouldn´t it be really freakin cool, if LTT forums could check their user database emails and compare it with https://haveibeenpwned.com/ , and then notify said users? Like once a month? Just an idea for higer-ups  

[BobVonBob]

2 minutes ago, SabianSVK said:

Thanks mate. I will check in couple of days and run my family emails thru it ...

PS: Wouldn´t it be really freakin cool, if LTT forums could check their user database emails and compare it with https://haveibeenpwned.com/ , and then notify said users? Like once a month? Just an idea for higer-ups  

Sending your entire user database over the internet once a month sounds like creating a self-breach to me. Not a good idea.

[SabianSVK]

Not that I am security expert of any sorts, but isn´t there a simple-ish way to set-up a secured query, with "us" sending only emails and HIBP returning true/false?

PS: I am just thinking out loud, don´t take me that seriously  

[Salv8 (sam)]

please excuse me while i change my passwords on all of my accounts for the 10000th time this hour.

[rawrdaysgoby]

If you guys are going to threaten or steal from someone please don't do it to us plebs. it is a waste of your time and ours.

[Bombastinator]

Reminds me a bit of the time that celebrity gossip video host had his own divorce splashed across the tabloids.  He did a great big “Oh.  Maybe it IS a really evil thing.... like he had been told a thousand times by others and just brushed it off.

 

Maybe it will learn em.  There is no such thing as grey hat. 

[StDragon]

Today should be the official everyone-change-their-password day.

[Bombastinator]

8 minutes ago, StDragon said:

Today should be the official everyone-change-their-password day.

... celebrated weekly.

[PianoPlayer88Key]

Hmm maybe it's approaching time to change some of my passwords.... but then what to USE as a password that I'll remember... like if I get a password manager and forget that password, or if my phone sings the Queen song, or I myself kick the bucket or multiple things happen simultaneously so I (or my family if i'm gone) can't get into my accounts....

Spoiler

I don't think those are my oldest passwords either.  (And no, I made sure not to show the actual passwords, just a couple dates when they were changed.)

heh i'm remembering a cartoon or something i saw like 20 or so years ago.  guy was at his computer logging into a site, his daughter (probably under age 10 i guess) was in the room.  he logs in, she excitedly yells "I KNOW DADDY's PASSWORD!! It's asterisk, asterisk, asterisk, asterisk....."

 

 

speaking of old usernames / passwords .... sometimes I wish there was a way to remind myself of my usernames & passwords from websites or BBS's from the mid 1990s.  once in a while i've wished I could take a trip down memory lane  

[Statik]

7 hours ago, PianoPlayer88Key said:

Hmm maybe it's approaching time to change some of my passwords.... but then what to USE as a password that I'll remember... like if I get a password manager and forget that password, or if my phone sings the Queen song, or I myself kick the bucket or multiple things happen simultaneously so I (or my family if i'm gone) can't get into my accounts....

  Reveal hidden contents

I don't think those are my oldest passwords either.  (And no, I made sure not to show the actual passwords, just a couple dates when they were changed.)

heh i'm remembering a cartoon or something i saw like 20 or so years ago.  guy was at his computer logging into a site, his daughter (probably under age 10 i guess) was in the room.  he logs in, she excitedly yells "I KNOW DADDY's PASSWORD!! It's asterisk, asterisk, asterisk, asterisk....."

 

 

speaking of old usernames / passwords .... sometimes I wish there was a way to remind myself of my usernames & passwords from websites or BBS's from the mid 1990s.  once in a while i've wished I could take a trip down memory lane  

I just use a password with randomly generated passwords, then make a password you can't forget. My Bitdefender password is like 30+ characters, but I have it set I have to need to be put in every time I open Firefox, so it's burned into my mind.

 

 

Side bar, does anyone have a method to check to see which passwords need to be changed? I have like 30 passwords in my vault and I really would like to avoid changing them all if possible.