500 Million Breached Passwords Released by Researcher to Help Organizations Protect Their Systems

A security researcher has released an updated list of 500 million breached passwords so that organizations can use it to protect their systems.On 22 February, Australian web security expert Troy Hunt published the second version of “Pwned Passwords.” The feature enables users to check a new or used password against a list of 501,636,842 combinations previously compromised by data breaches. In so doing, organizations can leverage the feature to ensure users are choosing secrets that are unaffected by any known security incidents.People can either download the entire list or use an online search tool to verify their passwords. If they choose the latter, the utility will notify users if their password is contained in the list. It will also display a number that indicates how many times the service found their secret across the various data sources of which it consists.

Pwned Passwords v2 (Source: Troy Hunt)Such a feature has many potential applications in the security world. 1Password recognized one when it integrated the feature’s k-Anonymity model into its password manager. This fusion lets users gauge their exposure should they choose to opt into 1Password’s new option.I’m *so* impressed with what they’ve done here; I launched this service only 27 hours ago and they’ve already pushed this out. They had no prior knowledge I was doing this, they just got hands on tools right away and made it happen. That’s awesome.— Troy Hunt (@troyhunt) February 22, 2018As with the first version of the feature, Hunt decided to SHA-1 hash the entries contained in Pwned Passwords. He did so not because he thinks SHA-1 is a sufficiently robust algorithm for protecting sensitive data like passwords. Rather, he believes it’s important to “to ensure that any personal info in the source data is obfuscated such that it requires a concerted effort to remove the protection, but that the data is still usable for its intended purposes.”The data contained in Pwned Passwords isn’t perfect, either. CynoSure Prime examined the feature and identified junk strings contained in some of its entries. The security researcher says those strings make up a fraction of a fraction of the item’s overall data size. He also admits he’s not trying to create something that’s perfect:This list is not perfect – it’s not meant to be perfect – and there will be some junk due to input data quality and some missing passwords because they weren’t in the source data sets. It’s simply meant to be a list of strings that pose an elevated risk if used for passwords and for that purpose, it’s enormously effective.To learn more about Pwned Passwords v2, check out Hunt’s blog post here.The updated feature is contained within Have I Been Pwned, Hunt’s service which allows people to verify if a security incident such as the Wishbone data breach has exposed their email addresses or usernames.

Weekly Update 75

Presently sponsored by: Build scalable, reliable and secure cloud native applications with Tech Fabric

Every now and then, I look at one of the videos I’ve just recorded and only realise then how tired I look. This was one of those weeks and it was absolutely jam-packed! There was some awesome stuff and there was some very frustrating stuff. Let me add briefly to the latter here:

The joy of participating in online communities is that we have these melting pots of diverse backgrounds and ideas all coming together in the one place. A huge portion of what I’ve learned personally has come from very robust debates within these communities and in turn, I hope others have also learned from me. These discussions are awesome; they make us all better people and better professionals. Some people in those chats turned out to be pretty aggressive yesterday but rather than focus on the negative, I thought I’d share a talk titled “Hack Your Career” (deep-linked to right point, watch 3 and a half minutes worth from there) and in particular, this quote:

Weekly Update 75

Now, onto the good stuff and because this one went for more than an hour, I’m listing the times different bits are talked about here so you can jump directly to bits of interest:

03:52 – Australia’s Notifiable Data Breach Scheme
11:40 – We’re going all HTTPS (and some people are pretty angry about that)
22:40 – The defences (and rebuttals) of EV certs
44:00 – Pwned Passwords (this is the good stuff!)

iTunes podcast | Google Play Music podcast | RSS podcast


  1. Australia now has a mandatory disclosure law (it’s called the “Notifiable Data Breach Scheme” or “NDB” here, this is a webinar I did on it yesterday)
  2. DoesMySiteNeedHTTPS.com (yes, and that link has all the reasons why)
  3. I did actually go and get an EV cert a couple of years ago (and there were a bunch of hoops to jump through)
  4. My blog on the futility of EV certs (the more you think about it, the less sense they make today)
  5. In my “I’m Pwned. You’re Pwned. We’re All Pwned.” talk, I cover EV (this is the one you want to watch to understand why it doesn’t work, watch from the deep-linked point in the video where I ask the audience questions, it’s really telling)
  6. Pwned Passwords V2 – I’m pretty stoked about this (that’s the whole background story, it’s a long read but I wanted it to be complete)
  7. Tech Fabric are sponsoring my blog this week (and they picked an awesome week to do it too!)

What Is RFID Skimming?

Security breaches are increasingly affecting organizations across various domains as they heavily rely on technologies to reduce the operational costs and improve the work efficiency.The United States is the world leader in data breach incidents. According to a report shared by the Identity Theft Resource Center in 2017, the security breach incidents in the U.S. hit a new record of 1579 breaches, exposing more than 171 million organizational and customer records. Moreover, the International Data Corporation estimates that by the year 2020, over 25 percent of the world’s population will be affected by data breaches and cyber crimes owing to mankind’s growing dependence on the latest technological advancements.What is Radio Frequency Identification (RFID) technology?The Radio Frequency Identification (RFID) technology uses the radio-frequency magnetic fields to identify and track people, vehicles, and assets that carry RFID tags without the need for a direct contact.Owing to its cost-effectiveness, the speed of operation, and the ease of use, this pervasive technology has replaced several obsolete technologies such as barcodes and magnetic swipe cards. Consequently, the RFID technology is being used in the supply chain management, the retail, the automated payment systems, the airline baggage management, the toll and parking systems, and the prescription management systems in healthcare. However, organizations need to be aware of and address a few security and privacy risks when adopting RFID.Like most technologies and networks, RFID systems are also vulnerable to physical and electronic attacks, namely reverse engineering, power analysis, eavesdropping, sniffing, denial of service, cloning, spoofing, and viruses. As this technology matures and finds numerous applications, hackers will continue to seek novel methods in order to access private information, infiltrate secure networks, and take the system down for their own gains.RFID tags can receive and respond to a variety of signals, increasing the risk of unauthorized access and modification of the data on the tag. In other words, any unlawful individual who has an RFID card reader can interrogate tags and access its contents.How is RFID technology being used by malicious actors?A new breed of digital pickpocketers armed with RFID card readers can pick up details of credit and debit cards in a matter of seconds. Similarly, attacks on POS (point of sales) systems can cause large-scale security breaches. For instance, in December 2013, hackers gained access to the RFID-enabled POS system of Target Stores, a US-based retail giant, by installing card readers to track the card details of more than 40 million customers.This technology is becoming increasingly relevant to businesses. Consequently, it is crucial for organizations to mitigate future security attacks by employing encryption methods, chip coatings, and signal-blocking and authentication methods. For instance, wrapping the RFID-enabled card in a metal foil or investing in RFID blocking wallets, passport pouches, and sleeves can block unauthorized RFID-card readers from accessing private data, preserving your organization’s authenticity, integrity, and confidentiality.The infographic below is a handy guide towards understanding RFID skimming and data theft. It will help you understand how hackers can misuse the RFID technology to gain access to your confidential data, increasing the risk of identity thefts and frauds. Moreover, you will also find practical tips on how you can protect your organization and employees from these malicious attacks.



About the Author: Edward Shaw is a tech enthusiast and has a great interest in data security. He loves to share his knowledge through his writings on various tech blogs.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Chase ‘Glitch’ Exposed Customer Accounts

Multiple Chase.com customers have reported logging in to their bank accounts, only to be presented with another customer’s bank account details. Chase has acknowledged the incident, saying it was caused by an internal “glitch” Wednesday evening that did not involve any kind of hacking attempt or cyber attack.

Trish Weller, director of communications for the retail side of JP Morgan Chase, said the incident happened Wednesday evening, for “a pretty limited number of customers” between 6:30 pm  and 9 pm ET who “sporadically during that time while logged in to chase.com could see someone else’s account details.”

“We know for sure the glitch was on our end, not from a malicious actor,” Weller said, noting that Chase is still trying to determine how many customers may have been affected. “We’re going through Tweets from customers and making sure that if anyone is calling us with issues we’re working one on one with customers. If you see suspicious activity you should give us a call.”

Weller urged customers to “practice good security hygiene” by regularly reviewing their account statements, and promptly reporting any discrepancies. She said Chase is still working to determine the precise cause of the mix-up, and that there have been no reports of JPMC commercial customers seeing the account information of other customers.

“This was all on our side,” Well said. “I don’t know what did happen yet but I know what didn’t happen. What happened last night was 100 percent not the result of anything malicious.”

The account mix-up was documented on Wednesday by Fly & Dine, an online publication that chronicles the airline food industry. Fly & Dine included screenshots of one of their writer’s spouses logged into the account of a fellow Chase customer with an Amazon and Chase card and a balance of more than $16,000.

Kenneth White, a security researcher and director of the Open Crypto Audit Project, said the reports he’s seen on Twitter and elsewhere suggested the screwup was somehow related to the bank’s mobile apps. He also said the Chase retail banking app offered an update first thing Thursday morning.

Chase says the oddity occurred for both chase.com and users of the Chase mobile app. 

“We don’t have any evidence it was related to any update,” Weller said.

“There’s only so many kind of logic errors where Ken logs in and sees Brian’s account,” White said.  “It can be a devil to track down because every single time someone logs in it’s a roll of the dice — maybe they get something in the warmed up cache or they get a new hit. It’s tricky to debug, but this is like as bad as it gets in terms of screwup of the app.”

White said the incident is reminiscent of a similar glitch at online game giant Steam, which caused many customers to see account information for other Steam users for a few hours. He said he suspects the problem was a configuration error someplace within Chase.com “caching servers,” which are designed to ease the load on a Web application by periodically storing some common graphical elements on the page — such as images, videos and GIFs.

“The images, the site banner, all that’s fine to be cached, but you never want to cache active content or raw data coming back,” White said. “If you’re CNN, you’re probably caching all the content on the homepage. But for a banking app that has access to live data, you never want that be cached.”

“It’s fairly easy to fix once you identify the problem,” he added. “I can imagine just getting the basics of the core issue [for Chase] would be kind of tricky and might mean a lot of non techies calling your Tier 1 support people.”

Update, 8:10 p.m. ET: Added comment from Chase about the incident affecting both mobile device and Web browser users.

Tags: , , , , ,