38 comments

[ 4.1 ms ] story [ 330 ms ] thread
Multifactor authentication or bust.
The irony is darkbeam positions itself as a digital risk management platform. A based SOC2 security audit would reveal these vulnerabilities.
No. Only if the database was exposed at the time of the audit.
Well, if you have some compliance automation. These things are caught very easily.
The things you're saying make it sound like you are harming clients by misrepresenting security to them.

Security has to start from "when", not "if", precisely because it is fundamentally impossible to guarantee.

Culprit: non-password protected instances
The company I work for (stytch.com, we provide an authentication API) tracks breached passwords and, depending upon config, will invalidate passwords that have been leaked. Will be interesting to watch our logs over the coming weeks.
.. do you happen to have a service that lets users know if their password was in the breach?
^yup, haveibeenpwned is the best public service to check this sort of thing. I don't think they've pulled it in yet.
yeah but do they have this breach yet?

edit: the OP suggests there are some password lists that are known leaked but not in public leak docs. not sure if pwned is only public leaks?

No evidence is presented that anybody but the security researcher noticed the unprotected data. The data is a compilation of previously leaked emails.
(comment deleted)
To +1 this:

>... from previously reported and non-reported data breaches.

"exposing records with user emails and passwords from previously reported and non-reported data breaches."

I think you mean to say that there is no evidence presented precluding someone grabbing the data?

Not sure what your point is about non-reported, but that's still previously leaked data. It probably means stuff found in the dark webs.
(comment deleted)
Each time a breach like this happens I want to download the file and check if

1. My emails are in the dataset, and

2. Any of my passwords are in that dataset.

I really just want the collection of passwords so that I can use it as a check against any of my current passwords.

[EDIT: I know about haveibeenpwned.com; I'm not asking for a service that I send a http request to to determine if a single username exists in the db, I want the db itself so I can chuck it into sqlite and check multiple records at a single time, quickly, for both usernames alone and passwords alone

I also believe it's a bad idea to ask a third-party to perform the check. Even if you trust that third-party now, there is no way to ensure that trust in the future - i.e. it gets bought, breached or pwned itself in the future and best case scenario is that the record of your username lookup is available as "confirmed". Without visiting that site, no one would never know if that record was a throwaway or not.]

If you use any of the better password managers this feature exists and runs automatically. If you don't want to go that route, then you can make use of https://haveibeenpwned.com/
Thank you, I've edited my comment to be more specified
I have a gmail account which google one shows, it along with a username has been leaked on dark web, but haveibeenpwned shows email was not found in any data breach. How is that possible?
I agree - download all the passwords and don't single out what you're checking for someone else to see.

I don't know why we can't use this kind of thing for better privacy everywhere.

A similar example (outside the realm of passwords) would be when checking for a software update. Instead of sending "i have software xyz version 1.2.3", just download a current list of software and check it locally against your software. Probably would be faster anyway to download a static dataset instead of hitting a remote database.

Each time a breach like this happens I want to download the file and check if;

1. People on my s*t list are in the dataset, and

2. Any of their passwords are in that dataset.

Then I can use the information to make their lives miserable.

That sounds like a slam-dunk GDPR violation case and a hefty fine.
The data breach announcement is a bit vague on the meaning of “login pairs”. The best practices of breaches databases of the like of https://haveibeenpwned.com/ is to maintain records of login matter (username, email, password etc) in a strongly hashed format. This still enables searching and comparing but not extracting for later use. Why the database here looks like plain text is totally unclear. Or maybe the passwords are hashed here also (which anyway exposes email addresses)?
>Use our personal data leak checker to see if your data – email, phone number, or password – has been leaked.

What is the chance that my email and phone number aren't everywhere? Email and phone aliases are still rare.