Collaborate Disseminate
The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I’m writing this after many recent such
TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service.
How many attempted scams do you get each day?
Continue reading Begging for Bounties and More Info Stealer Logs
Last week, a security researcher sent me 122GB of data scraped out of thousands of Telegram channels. It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the
Continue reading Telegram Combolists and 361M Email Addresses
Today we loaded 16.5M email addresses and 13.5M unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they’ve coined Operation Endgame. That link provides an excellent overview so start there then come back to this blog
We often do that in this industry, the whole “1.0” thing, but it seems apt here. I started Have I Been Pwned (HIBP) in 2013 as a pet project that scratched an itch, so I never really thought of myself as an “employee”. Over time,
Continue reading Have I Been Pwned Employee 1.0: Stefán Jökull Sigurðarson
I hate having to use that word – “alleged” – because it’s so inconclusive and I know it will leave people with many unanswered questions. But sometimes, “alleged” is just where we need to begin and over the course of time, proper attribution is
Continue reading Inside the Massive Alleged AT&T Data Breach
I’ve always thought of it a bit like baseball cards; a kid has a card of this one player that another kid is keen on, and that kid has a card the first one wants so they make a trade. They both have a bunch of cards they&
so I checked my passwords with the Google Password Manager integrated into Chrome.
Google shows me Passwords as "hacked" that https://haveibeenpwned.com/Passwords says are fine, and also Google lists Passwords as okay/weak that h… Continue reading Google Password Manager vs Have I Been Pwned [closed]
It feels like not a week goes by without someone sending me yet another credential stuffing list. It’s usually something to the effect of “hey, have you seen the Spotify breach”, to which I politely reply with a link to my old No, Spotify Wasn’
Continue reading Inside the Massive Naz.API Credential Stuffing List
I’m worried that there could be some particular private information about me be leaked somewhere online.
I’m already aware of haveibeenpwned.com and doxbin.com, but what other sites exist there where I can look, especially deep websites?
… Continue reading Where can i look which information about me exists online [closed]