メールアドレスとパスワードの流出

   




ソニーグループ1万7695件東芝グループ1万635件トヨタ自動車グループ8194件……。日本を代表する企業で働く社員の情報が、大量に流出していることが日経ビジネスの取材で明らかになった。確認したのは、メールアドレスとパスワードの組み合わせを記したリストだ。もともとは利用者が限られる闇サイトで売られていたが、現在は誰でもアクセスできるサイトを通じて無料でダウンロード可能な状態にある。リストに記されている組み合わせの総数は、16億件に達する。(パスワード16億件の流出を確認、ソニー、トヨタ自動車など日本企業の被害多数 2018年 9/7(金) 11:29配信 YAHOO!JAPANニュース 日経ビジネスONLINE)

 

日経ビジネスの記事が言及するリストが何かはわかりませんが、同様の話題の海外のサイトの記事も紹介しておきます。個人情報の流出は過去に何度も報じられています。

Their most recent find: a 41-gigabyte file that contains a staggering 1.4 billion username and password combinations.

The usernames and passwords have been collected from a number of different sources. 4iQ’s screenshot shows dumps from Netflix, Last.FM, LinkedIn, MySpace, dating site Zoosk, adult website YouPorn, as well as popular games like Minecraft and Runescape. (Dec 11, 2017, 02:45pm
File With 1.4 Billion Hacked And Leaked Passwords Found On The Dark Web. Lee Mathews)

While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.

The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.

We’ve found that although the majority of these breaches are known within the Breach and Hacker community, 14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text. (Julio Casal Dec 9, 2017 medium.com 1.4 Billion Clear Text Credentials Discovered in a Single Database)

 

One list, known as the “Anti Public Combo List“, contains 457,962,538 distinct email addresses, and although HIBP creator Troy Hunt, who first reported the discovery of the lists last Friday, has so far been unable to trace the source of the data, he believes it comes from multiple breaches rather than a single event. (Breach site finds 1 billion accounts in hacked datasets. Dale Walker. 9 May, 2017)

On Friday, Twitter user Chris Vickery teased world plus dog that he was going public on Monday with news of a massive data breach of 1.37 billion records. And that turned out to be as many as 1.37 billion contact details amassed by River City Media (RCM) – an internet marketing biz apparently based in Jackson, Wyoming, that claims to emit up to a billion emails a day.

The 200GB table includes real names, email addresses, IP addresses, and “often” physical addresses, it is claimed. Vickery said he “stumbled upon a suspicious, yet publicly exposed, collection of files,” and discovered the database and documents related to RCM. Among the millions and millions of contact details were chat logs and files exposing the sprawling RCM empire. It turns out the spamming, er, marketing biz has many tentacles and affiliates, mostly acting as web service providers and advertising operations. (That big scary 1.4bn leak was 100s of millions of email, postal addresses. Spammers, shockingly, hoard contact details on millions of netizens By John Leyden 7 Mar 2017 at 03:15 The Register)

 

I get a lot of requests from people for data from Have I been pwned (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been “no”, I’m not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you.

However, as part of HIBP’s 3rd birthday celebrations, I am going to share data with you, quite a lot of it. In fact, I’m opening up almost all the data in HIBP with a few very important caveats: (Here’s 1.4 billion records from Have I been pwned for you to analyse. 06 DECEMBER 2016 troyhunt.com

 

A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security – a US firm specialising in discovering breaches. Hold Security described the hack as the “largest data breach known to date”. It claimed the stolen information came from more than 420,000 websites, including “many leaders in virtually all industries across the world”. (Russia gang hacks 1.2 billion usernames and passwords (BBC 6 August 2014)

 

参考

  1. https://keybase.pub/lakofsth/breachcompilation.sortuniq.txt.7z
  2. ‘;–have i been pwned?
  3. There are currently 5,906 searchable databases on DeHashed.
  4. List of data breaches (Wikipedia)
  5. Yahoo! data breaches (Wikipedia)
  6. The 17 biggest data breaches of the 21st century. Taylor Armerding By Taylor Armerding CSO | JAN 26, 2018 3:44 AM PT

 

下は別の事件ですが。

They took the personal and financial details of customers who made, or changed, bookings on ba.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three digit CVC code required to authorise payments. Around 380,000 transactions were affected. (The British Airways hack is impressively bad. WIRED By MATT BURGESS Friday 7 September 2018)


 - インターネット・セキュリティとプライバシー