Data Breach - 1,500 Sites, 27 Million Accounts affected

[Default_Idiot]

A data breach of 1,500 sites that did not implement HTTPS has surfaced. The leaked information includes emails and passwords in plain text. More than 2 GB of .txt files containing user credidentials were freely available on http://www.pxahb.xyz . The breach has probably occured in December 2017, judging by the files' date of creation. I can't provide you with the full list of affected websites, but there are no "big ones" amongst them(e.g. Google, Yahoo, Amazon, etc.) as they all implement HTTPS correctly.

 

The website has been taken down, but I found some url reports that contain screenshots:

Report 1

Report 2

 

There is no information about the breach in mainstream media, the only coverage that I could find is a YouTube video from the (fairly) popular Linux youtuber Quidsup. He is a reliable source when it comes to computer security/privacy and related topics(btw he works as a malware analyst). I will try to update the topic if any new information appears.

 

However, the leaked data still shows that people are not very creative when it comes to passwords, phrases like "123456" and "password" are common. But the ones to blame are the people who maintain those websites. Having a login page on your website in 2018 and not having HTTPS enabled is a complete suicide - sniffing HTTP traffic can be done by anyone skilful enough to power on a computer. SSL certificates are not expensive to obtain, and certificate authorities such as Let's Encrypt give them out for free. There is literally no excuse for not having HTTPS on your website.

 

Update: Thanks to Google's cache we have part of the list of affected websites: https://webcache.googleusercontent.com/search?q=cache:lITAZhUWlk4J:pxahb.xyz/emailpass/+&cd=2&hl=en&ct=clnk&gl=en

 

 

 

 

 

 

 

Edited January 31, 2018 by Default_Idiot

[Guest]

Surprise surprise - it continues..

[PorkishPig]

I'm always surprised when I stumble upon a site that doesn't have an SSL certificate. CloudFlare offers free SSL certificates to literally anyone who creates an account. Hell, even this site uses a free CloudFlare certificate.

[Jito463]

Heck, I stumbled across a website last week that actually expected me to input CC data on an insecure page.  This same site had a secure login to use both Amazon and Paypal, yet couldn't secure their own payment page.  It doesn't surprise me in the least that there are websites who haven't figured out how to secure their login.

[rcmaehl]

Nothing major as far as I can tell. Small business sites, non-US based sites, etc. Seeing if I can get a copy of the files now....

[captain_to_fire]

6 hours ago, Default_Idiot said:

However, the leaked data still shows that people are not very creative when it comes to passwords, phrases like "123456" and "password" are common.

This shouldn’t surprise anyone. People using such weak passwords are basically begging to be hacked. 

[captain_to_fire]

5 hours ago, Homeless Pineapple said:

Hell, even this site uses a free CloudFlare certificate.

Not only that as Cloudflare is also the one protecting the forum from denial of service attacks. 

[Tech_Dreamer]

meh, roughly around 98% of em are very uninteresting sites. pretty much this leak is probably the biggest exposure they've received. LOL.

[Taf the Ghost]

LastPass needs to get on buying another round of integration. 

 

Seriously, one of the password Wallets, depending on how over-the-top you want to be in security, is the way to go. 

[Taf the Ghost]

2 hours ago, Tech_Dreamer said:

meh, roughly around 98% of em are very uninteresting sites. pretty much this leak is probably the biggest exposure they've received. LOL.

There's a few EDU sites in there.

[Ryujin2003]

9 hours ago, huilun02 said:

Any notable sites that got breached?

The only one I recognized was www.akoma-trade.com, but there was a .org for a county website in New Jersey and a couple .edu sites. But nothing I've ever seen. Looked like a lot of sites with .cz.*, so unless you visit a lot of niche foreign sites, there doesn't appear to be much of anything.

 

How people get associated with these sites is beyond me.... And the password security? wow...

 

Incase anyone is curious, here is a good site to "test" potential passwords https://www.bennish.net/password-strength-checker/

This uses zxcvbn. There is also a link to the github incase anyone wants to download it and run it off network to test the strength of their own password. What is funny? "1 + 2 = 3" is much stronger than 12345 or password123, etc...

[Cheezdoodlez]

Most of these sites seems to be of the type you avoid if you dislike unknown viruses and malware on your pc. 

[mr moose]

On 2/1/2018 at 1:43 AM, Ryujin2003 said:

What is funny? "1 + 2 = 3" is much stronger than 12345 or password123, etc...

Time to update my passwords, thanks for the tip.