A staggering 16 billion logins exposed in epic data breach, including Apple accounts

All the protections mentioned here remain vulnerable to little-known operating system and internet protocol weaknesses. Some info stealing hacks are so simple I do not want to describe them. I highly recommend disconnecting your device from being online whenever you are not actively using it. Those who have wired connections can employ a switch box. Wireless is tougher to disconnect from and thus puts you at greater risk.
 
GrayHare said:
Some info stealing hacks are so simple I do not want to describe them. I highly recommend disconnecting your device from being online whenever you are not actively using it.
Click to expand...
It sounds like you're saying that the risk of the bad guys getting your credentials is proportional to the amount of time you're connected to the Internet? I've never heard of unplugging while not in use as a mitigation strategy. Of course if your machine is already compromised and was being used by a bot net or as a Bitcoin miner, sure, unplug it. But by then the battle is already lost.

I would posit that most of the 16 billion came from phishing emails or other social engineering scams where people were fooled into divulging their credentials or allowing malware to be installed so every login could be monitored. All of those work with an intermittent Internet connection.
 
dixonge said:
Use a separate email address for each user name/account - I have my own domain name and the email is handled by Apple's iCloud+ service. I set it to allow 'catch-all' emails, meaning anything before the '@' sign gets in.
Click to expand...
That sounds like a great idea. Can you give a little more detail about how to set this up?
 
Sorry, but some of this stuff seems to me to be straying into tin-foil hat territory.
 
sengsational said:
It sounds like you're saying that the risk of the bad guys getting your credentials is proportional to the amount of time you're connected to the Internet? I've never heard of unplugging while not in use as a mitigation strategy. Of course if your machine is already compromised and was being used by a bot net or as a Bitcoin miner, sure, unplug it. But by then the battle is already lost.

I would posit that most of the 16 billion came from phishing emails or other social engineering scams where people were fooled into divulging their credentials or allowing malware to be installed so every login could be monitored. All of those work with an intermittent Internet connection.
Click to expand...

Was there any indication that the password information might have been stolen from a cloud archive like a Microsoft Account uses to prefill passwords in the browser or to restore all the saved passwords to the new machine when it asks to make the machine like your old one?

Was it saying that the passwords were stolen from user machines rather than stolen from host companies (possibly by inside job)?
 
Can someone explain the new "pass keys". Do they replace user id and password? Do you still have pass key plus 2FA. Say pass key and yubikey or Google Authenticator?

Do they work only on phones? Do you need a finger print? What about pass key on laptop?
 
joesxm3 said:
Can someone explain the new "pass keys". Do they replace user id and password? Do you still have pass key plus 2FA. Say pass key and yubikey or Google Authenticator?

Do they work only on phones? Do you need a finger print? What about pass key on laptop?
Click to expand...
I think passkeys require some biological print and are for each device. They serve in place of user id and password, but you still have those and would need them initially on another device. Your device is doing the authentication. 2FA in addition? Maybe not for that device for a certain amount of time.
 
joesxm3 said:
Can someone explain the new "pass keys". Do they replace user id and password? Do you still have pass key plus 2FA. Say pass key and yubikey or Google Authenticator?

Do they work only on phones? Do you need a finger print? What about pass key on laptop?
Click to expand...
Here's a (fairly) quick summary from my AI chatbot:

The Old Way: Passwords (Like a Shared Secret Key)

Imagine you have a lock (your online account) and you make a physical key (your password) for it.
  • You make a copy of your key and give it to the company (website) so they can keep it.
  • Every time you want to open the lock, you take your key, and the company checks if it matches their copy.
  • The problem: If someone steals the company's copy of your key, or tricks you into giving them your key, they can open your lock. And if you use the same key for many locks, then stealing one copy opens everything!
The New Way: Passkeys (Like a Special Handshake)

Now, imagine your lock (online account) and your device (phone, computer) are much smarter.
  1. When you "make" a passkey:
    • Your device creates two special, unique pieces of a puzzle just for that specific website.
    • One piece is like a "public puzzle piece" that it sends to the website. The website keeps this.
    • The other piece is a "private puzzle piece" that stays only on your device. It never leaves.
    • Crucially: These two pieces are related, but you can't figure out the private piece just by knowing the public piece.
  2. When you "log in" with a passkey:
    • You tell your device, "Hey, I want to log into Example.com."
    • Your device then does a special "handshake" with Example.com using its private puzzle piece. It doesn't send the private piece; it just uses it to solve a little challenge given by the website.
    • The website then uses its public puzzle piece to verify that your device's answer to the challenge is correct.
    • If it matches, you're logged in!
Why is this much safer?
  • No Secret to Steal from the Website: The website only has the "public puzzle piece," which is useless to a hacker. They can't use it to log into your account, and they can't figure out your private piece from it.
  • Phishing Proof: The "handshake" only works with the real website. If a hacker tries to trick you with a fake website, your device will know it's not the right one and won't do the handshake. You literally can't be phished into giving away your passkey.
  • Unique for Every Account: Every passkey is unique for every website. No more worrying about reusing passwords!
  • You're the Key: To activate the "handshake," your device needs to confirm it's really you. This is why you often use your fingerprint, face scan, or PIN to unlock your phone before using a passkey. This adds an extra layer of security.
 
Thanks. It makes sense except when I try to think deeply about it. I follow that it is based on public-key private-key pairs. But I am realizing my understanding is vague,

Is it like: the device gives the web site the public key. At login the device signs something using the private key and the web site can validate the signature using the public key?

The "phishing proof" confuses me. Does the web site also provide the device with a public key and authenticate to the device in a similar way to the device authenticating to the web site?

When Grok explained it the downside was getting locked out if your device fails.
 
sengsational said:
It sounds like you're saying that the risk of the bad guys getting your credentials is proportional to the amount of time you're connected to the Internet? I've never heard of unplugging while not in use as a mitigation strategy.
Click to expand...

Yes. A security oversight present in all routers was recently discovered. If you don't patch it, pretty much anyone can find their way into your connected device at will. That's just one of several recent discoveries. The risk is likely to amplify in the near future because hackers are using AI to find exploits that no human had thought of. It's also wise to keep important data backups offline.
 
Sojourner said:
Here's a (fairly) quick summary from my AI chatbot:

The Old Way: Passwords (Like a Shared Secret Key)

Imagine you have a lock (your online account) and you make a physical key (your password) for it.
  • You make a copy of your key and give it to the company (website) so they can keep it.
  • Every time you want to open the lock, you take your key, and the company checks if it matches their copy.
  • The problem: If someone steals the company's copy of your key, or tricks you into giving them your key, they can open your lock. And if you use the same key for many locks, then stealing one copy opens everything!
The New Way: Passkeys (Like a Special Handshake)

Now, imagine your lock (online account) and your device (phone, computer) are much smarter.
  1. When you "make" a passkey:
    • Your device creates two special, unique pieces of a puzzle just for that specific website.
    • One piece is like a "public puzzle piece" that it sends to the website. The website keeps this.
    • The other piece is a "private puzzle piece" that stays only on your device. It never leaves.
    • Crucially: These two pieces are related, but you can't figure out the private piece just by knowing the public piece.
  2. When you "log in" with a passkey:
    • You tell your device, "Hey, I want to log into Example.com."
    • Your device then does a special "handshake" with Example.com using its private puzzle piece. It doesn't send the private piece; it just uses it to solve a little challenge given by the website.
    • The website then uses its public puzzle piece to verify that your device's answer to the challenge is correct.
    • If it matches, you're logged in!
Why is this much safer?
  • No Secret to Steal from the Website: The website only has the "public puzzle piece," which is useless to a hacker. They can't use it to log into your account, and they can't figure out your private piece from it.
  • Phishing Proof: The "handshake" only works with the real website. If a hacker tries to trick you with a fake website, your device will know it's not the right one and won't do the handshake. You literally can't be phished into giving away your passkey.
  • Unique for Every Account: Every passkey is unique for every website. No more worrying about reusing passwords!
  • You're the Key: To activate the "handshake," your device needs to confirm it's really you. This is why you often use your fingerprint, face scan, or PIN to unlock your phone before using a passkey. This adds an extra layer of security.
Click to expand...
A major problem with passkeys is that all websites that support passkeys use passwords as a fallback. You also need to insure that the device or password manager you utilize to store your portion of the passkey has a backup. Otherwise if you lose access to that device you need to recreate your passkeys on all your sites.
 
We're always told never to use the same password for different accounts.

But why? Suppose someone gets (1) my user ID, (2) my password and (3) the site which that particular user ID and password is able to access.

Now they can log on as me - but only at that one particular site.

They don't know which other sites I might have an account at, or what my user ID is at those sites.

The total number of websites in the world is estimated to be around 1.1 billion. At each of those, there could be a virtually unlimited number of different user accounts. The ID and password I used at some other site is irrelevant.

To me, better advice would be to just use common sense, and consider the impact of someone knowing the password for each site. For example, don't use the same ID and password at different local banks.
 
frank05 said:
A major problem with passkeys is that all websites that support passkeys use passwords as a fallback. You also need to insure that the device or password manager you utilize to store your portion of the passkey has a backup. Otherwise if you lose access to that device you need to recreate your passkeys on all your sites.
Click to expand...
I think some use login name and some sort of 2 factor.
 
CarbonaNotGlue said:
Here’s the latest breach, which includes Apple accounts for our Apple devices. At this point, I’m just assuming all tech and accounts are compromised.

Excerpt - “Security researchers have discovered what they describe as “one of the largest data breaches in history,” comprising a staggering 16 billion logins, which include Apple accounts (formerly known as Apple IDs).

The researchers said that the stolen data gives cybercriminals “unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing” …

A staggering 16 billion logins exposed in epic data breach, inc Apple accounts
Click to expand...
There are fewer than 9 billion humans alive on Earth at this time. I have ZERO Apple devices and Apple logins, and I assume billions of non-Americans (Africa, China, etc.) also do not have any Apple devices.
What am I missing to make the 16 billion number even possible?
 
Tom57 said:
There are fewer than 9 billion humans alive on Earth at this time. I have ZERO Apple devices and Apple logins, and I assume billions of non-Americans (Africa, China, etc.) also do not have any Apple devices.
What am I missing to make the 16 billion number even possible?
Click to expand...
It wasn’t only Apple devices or only Apple accounts.
 
If you have a login that's been exposed through previous breaches, then the login ID might appear multiple times with different passwords in this breach.

I noticed that credit watch reporting also may tell you about other identities associated with yours.

If we were designing for efficiency then of course we would whittle down excess. The modern tools don't mind repetition or redundant information. What is more important is to have everything, and let the criminal analyst deal with it.
 
frank05 said:
A major problem with passkeys is that all websites that support passkeys use passwords as a fallback. You also need to insure that the device or password manager you utilize to store your portion of the passkey has a backup. Otherwise if you lose access to that device you need to recreate your passkeys on all your sites.
Click to expand...
This is not true if you use a password manager. 1Password handles all my passkeys, which I can then use from any device. Having it autofill those 6-digit codes is magic!
 
Another thing to note about that article is the use of hyperbole in the headline. Look at the choice of words: "Staggering," "Exposed," "Epic." Admittedly that's sort of the point of headlines, but this one seems a bit over the top as far as click bait goes.

But the point about having a backup if your primary devices is unavailable is a good one. I once dropped my cell phone over the side on a long trip. If I did that today I'd be dead in a week. It seems that every account I need to access requires me to enter the number they text me. I've tried to put in alternate phone numbers and/or e-mail addresses where I can, but many of them don't support that.

Then there are those sites which want to do extra validation whenever you log on from a different IP address. Hello? This is 2025. Everything is mobile. We log in wherever we are, not just from some PC tethered to a desk.

Tying everything to one device or one location is just plain stupid. And frankly doesn't seem to be doing anything to prevent fraud.
 
CaptTom said:
Tying everything to one device or one location is just plain stupid. And frankly doesn't seem to be doing anything to prevent fraud.
Click to expand...
Agreed! The problem, I think, is they want to know WHO YOU ARE, at the same time as the simpler problem of knowing you are THE SAME PERSON as before. The former is marketing, the latter is security. What they don't want is to allow you to make more than one relationship (i.e. look like more than one person). That would take the "free first month" marketing off the table. So they won't proceed without confirming your cell phone number (presuming you have exactly one of those). Then, once they get your cell phone number, that becomes the default "most secure" way to make sure it's not more than one person.

Sometimes you can associate an authenticator app with an account, and register that with the account. I have registered Aegis with some accounts and it holds my private key on multiple devices. Any of those devices can provide a code for the login challenge, so loosing one device doesn't lock me out. For instance, Aegis on my wife's phone generates codes for my accounts.
 
You must log in or register to reply here.

Latest posts

Back
Top Bottom