Troy Hunt, the operator of Have I Been Pwned?, has identified a significant data breach involving nearly 71 million unique credentials from various websites including Facebook, Roblox, and eBay. This breach stands out because approximately 25 million of the passwords had not been previously leaked, indicating a fresh source of data likely originating from malware that captures credentials from infected machines. The compromised passwords, many of which are weak and susceptible to dictionary attacks, were found in plaintext rather than the usual cryptographic hashes seen in website breaches.
Hunt confirmed the authenticity of the data by verifying a sample of the credentials. He also noted that a large portion of the data might have originated from credential stuffing attacks rather than malware. The breach highlights the importance of strong password practices, such as using long, randomly generated passwords or passphrases, storing them in a password manager, and enabling two-factor authentication. Hunt also recommends using passkeys, a new authentication standard, and checking Have I Been Pwned? to see if your credentials have been compromised.
Read more at Ars Technica…