Data breach aficionado Troy Hunt has significantly updated his "Have I Been Pwned?" website in recent days, adding a data set of 2,844 breach incidents involving 80 million stolen records, and introducing version two of his Pwned Passwords service.
The new data set comes from an online hacking forum that was apparently discovered by the operators of breach notification website Hacked-DB, who reported their findings to HackRead last week. Hacked-DB said that the nearly 3,000 individual databases collectively totaled 9GB in size, ranged in date from 2011-2018, and contained 200 million unique user accounts that included email addresses, PII, possible financial accounts, and unique IP addresses and account identifiers. In a 26 February blog post, however, Hunt stated that he was able to distill the data down to 80,115,532 unique email addresses, and that almost all of the files contained just email addresses and plain text passwords.
Hunt also said that an examination of the doxxed data, which was distributed as a single ZIP file, determined that roughly 34 percent of the unique email addresses listed were new to his HIBP website. The remaining 66 percent included victims that he seen in past breaches, including those affecting Dropbox and Lifeboat.
Both Hunt and Hacked-DB published the full list of targeted databases whose data was lifted. Hunt has labeled this collective breach list as "unverified," because he cannot be sure how many of the records are legitimate and how many are bogus or only partially correct. However, the fact that he was able to match up some records against those found in previous breach incidents lends credibility to this particular data set.
"As with almost every other data breach, treat this as a reminder of how important a dedicated password manager is for ensuring all your passwords are unique and genuinely strong," Hunt stated in the blog post.
Days earlier, on 22 February, Hunt announced that he bolstered his Pnwed Password service, which is a database of the most commonly used or compromised credentials, to help users know which passwords to avoid at all costs. For this upgrade, Hunt increased the data set from 320 million passwords to over 501.6 million passwords, including those found in the 711-million-record Onliner Spambot dump in August 2017 and another 1.4 billion clear text credentials that were discovered in an aggregate online database last December.
"It's simply meant to be a list of strings that pose an elevated risk if used for passwords, and for that purpose, it's enormously effective." Hunt wrote on his blog page.
In addition, his service now offers a count of how many times each breached password appeared in Hunt's data sources, allowing users to rank which passwords are among the most frequently stolen and published, and therefore the most important to avoid when registering accounts and applications.
"What this means is that next to 'abc123' you'll see 2,670,319 -- that's how many times it appeared in my data sources," wrote Hunt. "Obviously with a number that high, it appeared many times over in the same sources because many people chose the same password. The password 'acl567', on the other hand, only appeared once."
"Having visibility to the prevalence means, for example, you might outright block every password that's appeared 100 times or more and force the user to choose another one (there are 1,858,690 of those in the data set), strongly recommend they choose a different password where it's appeared between 20 and 99 times (there's a further 9,985,150 of those), and merely flag the record if it's in the source data less than 20 times," Hunt continued.
Hunt, who also introduced a new technique that allows people to use the technology while maintaining their anonymity, said that he has counted 3.03 billion occurrences of the 501.6 million unique passwords listed by his Pwned Passwords service.