 I reported on a data leak earlier this year that included a whopping 184,162,718 passwords and logins affecting the likes of Apple, Facebook and Instagram users. That data leak was disclosed on May 22, and now, in what coukld, or could not be, a rather spooky seeming coincidence, news of 183 million passwords and login credentials from an April 2025 leak has emerged. Adding the details of website URLs, email addresses and passwords to the Have I Been Pwned database, owner Troy Hunt said the data consisted of both “stealer logs and credential stuffing lists” including confirmed Gmail login credentials. While confirming that all major email providers have credentials within the leak database, including Microsoft Outlook and Yahoo, Hunt has said that “they’re from everywhere you could imagine, but Gmail always features heavily.” Here’s what we know and what you need to do. Have I Been Pwned is something a staple resource for anyone who is genuinely concerned about their account login security. Why so? Because it’s the go-to for discovering when any of your email addresses, accounts or passwords are found in data leaks, dark web password breach lists and the like. Best of all, it’s entirely free to use. When a new entry appears with the number of affected accounts being 183 million, and the compromised data listed as email addresses and passwords, more than a few heads will pop up above the parapets and pay attention. Mine certainly did following the Oct. 21 addition. Having done some digging for further information, I was drawn to a lengthy analysis by Hunt himself, which looked inside the Synthient threat data provided to HIBP. Benjamin Brundage from Synthient revealed in a blog posting that the data came from the results of monitoring infostealer platforms across the course of close to a year. The total amount of information sent to HIBP comprised 3.5 terabytes of data, 23 billion rows of it in all. The output of the stealer logs concerned, Hunt said, consisted primarily of three things: website address, email address and password. “Someone logging into Gmail,” Hunt wrote, “ends up with their email address and password captured against gmail.com, hence the three parts.” Of course, there’s a lot of recycling of credentials that goes on in the cybercriminal world, so Hunt initially wanted to check the freshness of the database he had in his hands. An analysis of a 94,000 sample revealed 92% were not, in fact, new. “Most of what has been seen before was in the ALIEN TXTBASE stealer logs,” Hunt confirmed. However, the math wizards out there will have noted that this steal leaves 8% that is new and fresh, or more than 14 million credentials if you extrapolate it. Actually, the final tally was 16.4 million previously unseen addresses in any data breach, not just stealer logs. HIBP also checks to see if the credentials are genuine by sending out some of the details to people on the subscriber base who are impacted. “One of the respondents was already concerned there could be something wrong with his Gmail account,” Hunt said, and that person was able to validate that the entry was “an accurate password on my Gmail account.” Google has taken to social media to try to stem the misreporting concerning this incident, which has been framed as 183 million Gmail accounts being breached, which is incorrect, as my article explains in some detail. I have reprinted the entire statement here in the hopes of adding even further clarification. “Reports of a “Gmail security breach impacting millions of users” are false. Gmail’s defenses are strong, and users remain protected. The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform. Users can protect themselves from credential theft by turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this. Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts.” Of course, it is not just Gmail users who will be affected by this leak, so I would advise everyone to go and check at HIBP to see if their account credentials might be included. I reached out to my contacts at Google for a statement, and a spokesperson told me: “This report covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords." Google also advised Gmail users that if they have any reason to believe that their accounts have been hacked, they should immediately sign in and review the account activity. If you can’t sign in, Google said, then head for the account recovery page and answer the questions that are presented to the best of your ability. “Additionally, to help users, we have a process for resetting passwords when we come across large credential dumps such as this,” Google noted. Of course, it is not just Gmail users who will be affected by this leak, so I would advise everyone to go and check at HIBP to see if their account credentials might be included. I reached out to my contacts at Google for a statement, and a spokesperson told me: “This report covers broad infostealer activity that targets many types of web activities. When it comes to email, users can help protect themselves by turning on 2-step verification and adopting passkeys as a simpler and stronger alternative to passwords." Google also advised Gmail users that if they have any reason to believe that their accounts have been hacked, they should immediately sign in and review the account activity. If you can’t sign in, Google said, then head for the account recovery page and answer the questions that are presented to the best of your ability. “Additionally, to help users, we have a process for resetting passwords when we come across large credential dumps such as this,” Google noted. Learn more by visiting OUR FORUM.  At this year's DEF CON conference in Las Vegas, white hat security researcher Marek Tóth demonstrated how threat actors could use a clickjack attack to surreptitiously trigger and hijack a passkey-based authentication ceremony. In the big picture, this is a story about how password managers could be tricked into divulging login information -- either traditional credentials such as user IDs and passwords or credential-like artifacts associated with passkeys -- to threat actors. Are password managers to blame? Tóth -- the researcher who discovered the exploit -- suggests that they are, but the answer is more complicated. Fully locking down any automated process is invariably the result of security in layers. Across the grand majority of use cases where digital security matters, there's almost never a single silver bullet that wards off hackers. Depending on the layers of technology that combine to complete a workflow (for example, logging into a website), responsibility for the security of that process is shared by the parties that control each of those layers. Yes, the password managers are one layer in stopping the exploit. But website operators and end-users -- the parties in control of the other layers -- must trade too much security for convenience in order for the exploit to work. Pointing fingers is useless. All parties at every layer must take action. Every summer, the cybersecurity industry gathers in Las Vegas for the back-to-back Black Hat and DEF CON conferences, where security researchers take turns presenting their "big reveals." During the year leading up to the event, these researchers work to discover new, unreported vulnerabilities. The bigger the vulnerability and the more users affected, the greater the attention (and possibly the financial reward) that awaits a researcher. This year, several researchers announced a handful of issues that challenged the supposed superiority of passkeys as a login credential. Unfortunately, despite their superiority, the passkey user experience varies so wildly from one website and app (collectively, "relying parties") to the next that passkeys risk being globally rejected by users. Despite these barriers to adoption, and in the name of doing the most to protect yourself (often from yourself), my recommendation continues to be: Take advantage of passkeys whenever possible. In the interest of delivering sound advice to ZDNET's readers, I always double-check the veracity of any headlines that challenge the viability and superior security of passkeys. Various reports emerged from this year's Black Hat and DEF CON, citing potential trouble in passkey paradise. The one that got the most attention came from Tóth, who -- under a combination of very specific technical preconditions -- has discovered a way to hijack passkey-based authentications while those authentications are in progress. Although the exploit happens in the blink of an eye, it involves a complicated set of interactions and preconditions that, taken together, present a series of non-trivial obstacles to the attacker's chances of success. At its heart, Toth's exploit never steals a user's passkey (one of the core tenets of passkeys is that they can't be stolen). But it essentially steals the next best thing. At the moment that a user is tricked into inadvertently authenticating to a website with a passkey, the exploit intercepts a payload of information that was manufactured by the user's password manager with the help of his or her passkey to that site. As described in part 5 of my series on How Passkeys Actually Work, this payload is called the PublicKeyCredential, and it's like a one-time single-use golden ticket that contains everything necessary for the user to log into their account on the legitimate website. Once the attacker gains possession of this golden ticket, it can be used to log the attacker's system into the victim's account as though the attacker's system is the victim's system. And that's exactly what this exploit does. After loading malware into the victim's browser, the exploit -- a malicious cross-site script (XSS) -- intercepts that golden ticket and, instead of presenting it for entry into the legitimate site (as the user's browser typically does at the request of the password manager), it sends it to the attacker's website. Then, with that golden ticket in hand, the attacker submits that same ticket from their own system to the legitimate website, effectively logging the attacker's system into the user's account on the legitimate website. But, as mentioned earlier, Tóth's discovery relies on the pre-existence of several conditions involving the website in question, the user's choice of password manager, how they have that password manager configured, and the website operator's choice of technology for adding the ability to authenticate with a passkey. Whether you're an end-user, the operator of a website, or the vendor of a password manager, it's important to understand these conditions because, once you do, you'll also understand the defense. You can also judge for yourself who among the involved parties is most responsible for the vulnerability. Read this complete 2 part article on Our Forum.  Microsoft says the 'Extended Security Updates' program is rolling out in waves and will be available to all by October 14, 2025. Microsoft is set to cut support for Windows 10 on October 14, 2025. This move has received a lot of backlash from users, with some blatantly expressing a preference for Windows 10 over Windows 11, citing flawed design elements and stringent minimum system requirements among their reasoning. While Windows 11 recently surpassed Windows 10 as the most dominant desktop operating system, a public interest group (PIRG) petitioned Microsoft to reconsider its decision to pull support for Windows 10, indicating that it could lead to the single biggest jump in junked computers ever. Consequently, Microsoft has seemingly provided Windows 10 with a "buffer zone", or grace period, after its end of support. For instance, Windows 10 users can enrol in Microsoft's Extended Security Updates (ESU) program, which will grant them an extra year of support. It's worth noting that the company recently changed the terms of the program from $30 per device to $30 for up to 10 devices. A Microsoft Account is also a mandatory requirement to make this payment. You can pay for the extended support program using 1,000 Microsoft Reward points if you don’t want to hand over any hard cash, either. Alternatively, Windows 10 users can opt to sync PC settings data with the cloud via a Microsoft Account to continue receiving security updates from Microsoft for an extra year for free. As you may know, enrolling your PC into the ESU program is done via a dedicated app that began rolling out in waves in July. However, October is fast approaching, and as it seems, a huge chunk of Windows 10 users are yet to gain access to the Extended Security Updates program. While Microsoft isn't leaving Windows 10 users completely high and dry after pulling the plug on the operating system, thanks to its ESU program, several groups have come out to indicate that it's not a viable solution for the over 400 million PCs that can't upgrade to Windows 11. The Restart Project group, which helped co-develop the "End of 10" toolkit to support Windows 10 users who can't upgrade to Windows 11, says Microsoft's move to continue pushing security updates to Windows 10 beyond its end-of-support feels like a last-minute snooze button, which only acts as a band-aid on a bleeding system. It's also calling on the political class to support: "Microsoft’s decision not only accelerates premature disposal but also undermines efforts to extend product lifespans and puts additional pressure on resource use and waste management systems." Elsewhere, a group called End of 10 has been pushing for users to transition to Linux as Windows 10's end-of-life approaches. The campaign encourages steadfast Windows 10 users to ditch the Windows ecosystem entirely and switch to a version of Linux on any outdated devices, using a lack of ads and telemetry tracking as the key selling points to get users to move over. At the end of the day, the ESU program is a temporary solution for the issue, as users will still need to transition to a supported operating system, likely Windows 11. Microsoft hasn't been shy about its push to get users to upgrade. For more visit OUR FORUM. |
Latest Articles
|