DarkBeam leaks billions of email and password combinations (opens in new tab)

(securityaffairs.com)

82 pointsexKitsune2y ago36 comments

36 comments

Each time a breach like this happens I want to download the file and check if

1. My emails are in the dataset, and

2. Any of my passwords are in that dataset.

I really just want the collection of passwords so that I can use it as a check against any of my current passwords.

[EDIT: I know about haveibeenpwned.com; I'm not asking for a service that I send a http request to to determine if a single username exists in the db, I want the db itself so I can chuck it into sqlite and check multiple records at a single time, quickly, for both usernames alone and passwords alone

I also believe it's a bad idea to ask a third-party to perform the check. Even if you trust that third-party now, there is no way to ensure that trust in the future - i.e. it gets bought, breached or pwned itself in the future and best case scenario is that the record of your username lookup is available as "confirmed". Without visiting that site, no one would never know if that record was a throwaway or not.]

GarrickDrgn2y ago

HIBP lets you download their hashed passwords DB to check against.

https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader

imposterr2y ago

If you use any of the better password managers this feature exists and runs automatically. If you don't want to go that route, then you can make use of https://haveibeenpwned.com/

slashtab2y ago

I have a gmail account which google one shows, it along with a username has been leaked on dark web, but haveibeenpwned shows email was not found in any data breach. How is that possible?

1 more reply

lelanthran2y ago

Thank you, I've edited my comment to be more specified

m4632y ago

I agree - download all the passwords and don't single out what you're checking for someone else to see.

I don't know why we can't use this kind of thing for better privacy everywhere.

A similar example (outside the realm of passwords) would be when checking for a software update. Instead of sending "i have software xyz version 1.2.3", just download a current list of software and check it locally against your software. Probably would be faster anyway to download a static dataset instead of hitting a remote database.

hnlmorg2y ago

Services already exist that does this. Some password managers will check but the popular service often talked about on here is https://haveibeenpwned.com/

lelanthran2y ago

Thank you, I've edited my comment to be more specified

2 more replies

shapefrog2y ago

Each time a breach like this happens I want to download the file and check if;

1. People on my s*t list are in the dataset, and

2. Any of their passwords are in that dataset.

Then I can use the information to make their lives miserable.

fahrradflucht2y ago

Darkbeam was acquired by apexanalytix only two days ago. [0] Hope they are still happy with their purchase...

[0] https://www.darkbeam.com/blog/apexanalytix-acquires-darkbeam

stefanoco2y ago

The data breach announcement is a bit vague on the meaning of “login pairs”. The best practices of breaches databases of the like of https://haveibeenpwned.com/ is to maintain records of login matter (username, email, password etc) in a strongly hashed format. This still enables searching and comparing but not extracting for later use. Why the database here looks like plain text is totally unclear. Or maybe the passwords are hashed here also (which anyway exposes email addresses)?

cco2y ago

The company I work for (stytch.com, we provide an authentication API) tracks breached passwords and, depending upon config, will invalidate passwords that have been leaked. Will be interesting to watch our logs over the coming weeks.

fbdab1032y ago

This reminds me of [0] where they maintain composite lists of frequently used passwords. Also in the repo is probably my favorite pull request ever [1].

[0] https://github.com/danielmiessler/SecLists

[1] https://github.com/danielmiessler/SecLists/pull/155

choppaface2y ago

.. do you happen to have a service that lets users know if their password was in the breach?

ShowalkKama2y ago

https://haveibeenpwned.com

2 more replies

65102y ago

I suppose it would require a good few domains and or public mail boxes but imagine if one was to create n fake users for each real user. If any of the fake users log-in on their account all users are forced to change their password.

Thorrez2y ago

Canary accounts:

https://joesecurity.blogspot.com/2009/05/what-is-canary-acco...

65102y ago

Thanks, fascinating stuff. Now if you excuse me, I have swarms of canaries to make.

https://canarytokens.org/generate

GoblinSlayer2y ago

>Use our personal data leak checker to see if your data – email, phone number, or password – has been leaked.

What is the chance that my email and phone number aren't everywhere? Email and phone aliases are still rare.

3abiton2y ago

Culprit: non-password protected instances

debarshri2y ago

The irony is darkbeam positions itself as a digital risk management platform. A based SOC2 security audit would reveal these vulnerabilities.

TedDoesntTalk2y ago

No. Only if the database was exposed at the time of the audit.

debarshri2y ago

Well, if you have some compliance automation. These things are caught very easily.

1 more reply

choeger2y ago

That sounds like a slam-dunk GDPR violation case and a hefty fine.

promiseofbeans2y ago

Oh the irony

instagib2y ago

Multifactor authentication or bust.

downWidOutaFite2y ago

No evidence is presented that anybody but the security researcher noticed the unprotected data. The data is a compilation of previously leaked emails.

readthenotes12y ago

"exposing records with user emails and passwords from previously reported and non-reported data breaches."

I think you mean to say that there is no evidence presented precluding someone grabbing the data?

downWidOutaFite2y ago

Not sure what your point is about non-reported, but that's still previously leaked data. It probably means stuff found in the dark webs.

j / k navigate · click thread line to collapse

36 comments

lelanthran2y ago

Each time a breach like this happens I want to download the file and check if

1. My emails are in the dataset, and

2. Any of my passwords are in that dataset.

I really just want the collection of passwords so that I can use it as a check against any of my current passwords.

GarrickDrgn2y ago

HIBP lets you download their hashed passwords DB to check against.

https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader

imposterr2y ago

If you use any of the better password managers this feature exists and runs automatically. If you don't want to go that route, then you can make use of https://haveibeenpwned.com/

slashtab2y ago

I have a gmail account which google one shows, it along with a username has been leaked on dark web, but haveibeenpwned shows email was not found in any data breach. How is that possible?

1 more reply

lelanthran2y ago

Thank you, I've edited my comment to be more specified

m4632y ago

I agree - download all the passwords and don't single out what you're checking for someone else to see.

I don't know why we can't use this kind of thing for better privacy everywhere.

hnlmorg2y ago

Services already exist that does this. Some password managers will check but the popular service often talked about on here is https://haveibeenpwned.com/

lelanthran2y ago

Thank you, I've edited my comment to be more specified

2 more replies

shapefrog2y ago

Each time a breach like this happens I want to download the file and check if;

1. People on my s*t list are in the dataset, and

2. Any of their passwords are in that dataset.

Then I can use the information to make their lives miserable.

fahrradflucht2y ago

Darkbeam was acquired by apexanalytix only two days ago. [0] Hope they are still happy with their purchase...

[0] https://www.darkbeam.com/blog/apexanalytix-acquires-darkbeam

stefanoco2y ago

cco2y ago

fbdab1032y ago

This reminds me of [0] where they maintain composite lists of frequently used passwords. Also in the repo is probably my favorite pull request ever [1].

[0] https://github.com/danielmiessler/SecLists

[1] https://github.com/danielmiessler/SecLists/pull/155

choppaface2y ago

.. do you happen to have a service that lets users know if their password was in the breach?

ShowalkKama2y ago

https://haveibeenpwned.com

2 more replies

65102y ago

Thorrez2y ago

Canary accounts:

https://joesecurity.blogspot.com/2009/05/what-is-canary-acco...

65102y ago

Thanks, fascinating stuff. Now if you excuse me, I have swarms of canaries to make.

https://canarytokens.org/generate

GoblinSlayer2y ago

>Use our personal data leak checker to see if your data – email, phone number, or password – has been leaked.

What is the chance that my email and phone number aren't everywhere? Email and phone aliases are still rare.

3abiton2y ago

Culprit: non-password protected instances

debarshri2y ago

The irony is darkbeam positions itself as a digital risk management platform. A based SOC2 security audit would reveal these vulnerabilities.

TedDoesntTalk2y ago

No. Only if the database was exposed at the time of the audit.

debarshri2y ago

Well, if you have some compliance automation. These things are caught very easily.

1 more reply

choeger2y ago

That sounds like a slam-dunk GDPR violation case and a hefty fine.

promiseofbeans2y ago

Oh the irony

instagib2y ago

Multifactor authentication or bust.

downWidOutaFite2y ago

No evidence is presented that anybody but the security researcher noticed the unprotected data. The data is a compilation of previously leaked emails.

readthenotes12y ago

"exposing records with user emails and passwords from previously reported and non-reported data breaches."

I think you mean to say that there is no evidence presented precluding someone grabbing the data?

downWidOutaFite2y ago

Not sure what your point is about non-reported, but that's still previously leaked data. It probably means stuff found in the dark webs.

j / k navigate · click thread line to collapse