Comment by throwup238
9 months ago
> While the specifics of the data breach remain unclear, the trove of data was put up for sale on the dark web for $3.5 million in April, the complaint reads.
I guess they failed to sell it because links to the leaked data on usdod.io have been available on Breachforum/Leakbase for over a week now. Someone created a magnet link yesterday and it's fully seeded so speeds are fast.
The data in the breach is irreversibly public now.
> Someone created a magnet link yesterday
Are you against simply sharing the infohash here? I'd like to download the leak to see what information it has on myself and my family, but I don't really relish the idea of signing up for a breachforums account and sifting though its posts if I can avoid it.
Here is a strongly encrypted base64 version to keep hackers out:
bWFnbmV0Oj94dD11cm46YnRpaDozY2FhNzFmM2VjOGNiY2NjNmZjYTRmZWI3MTg1ZGEyYmFiMTQ5YmE3JmRuPU5QRCZ0cj11ZHA6Ly90cmFja2VyLm9wZW5iaXR0b3JyZW50LmNvbTo4MCZ0cj11ZHA6Ly90cmFja2VyLm9wZW50cmFja3Iub3JnOjEzMzcvYW5ub3VuY2U=
Allegedly, the password (also base64 encrypted) is:
aHR0cHM6Ly91c2RvZC5pby8=
Has anyone been able to reverse this base64 encryption? Whatever am I going to do with this?
21 replies →
I dug into this a little and one of the files is 164GB. How do you even work with these files? That is, how would I search for my SSN on my windows box?
6 replies →
I can't believe HN mods think it's ok to leave this comment up. I don't know of a way to report it myself unfortunately.
4 replies →
I get it now, but I have so much imposter syndrome that I wasn't sure if this was ACTUALLY something I needed to figure out -__-
Anyone know the size after the 50GB file is un7zipped?
EDIT: answer: 2 files, 176GB and 120GB, total is 298GB.
1 reply →
Elsewhere in this thread I posted a detailed commentary on what the torrent contains.
1 reply →
FYI: This is only the two social security files, not the whole breach.
[dead]
BitTorrent uses something called a "distributed hash table", for which there exist services to search it (btdig, etc). You can use one of those alongside the torrent name (NPD) to find it.
I haven't downloaded it, but my understanding is that the data comes compressed and with a (weak) password.
You can check to see if you were in the breach here:
https://npd.pentester.com/search
This will save you the effort of a 30min search per `grep` on the original breached files.
[dead]
fyi that is likely to be a crime, at the very least has been cases of websites being punished for linking to illegally distributed IP (even if not hosting it).
I'd be worried about legal repercussions if we were talking about the latest Disney movie, but this is merely the private information of a billion people. Never seen IP law give much of a crap about that before.
9 replies →
Is this NPD's "IP" though? Is my personal information that company scraped, now that company's intellectual property?
Where's the IP?
It's like phone books--a collection of data, no creative content.
Do you know if the Rhysida ones get torrented?
https://www.ransomlook.io/group/rhysida
Nobody's gonna pay that much money for it when you can get it from ad companies for pennies
Now everyone just needs to send their email addresses to HIBP, i.e., email HIBP, so he can connect these identities with IP addresses and working email accounts. For peoples' protection of course.
After everyone "has been pwned" then there is no need for HIBP. The answer is always "yes". Yet I am certain sites like "HIBP" will never go away. Something about email marketing.
Some HN commenter(s) will inevitably try to defend HIBP. But this comment also refers to sites "like HIBP" that use data breach dumps opportunistically to generate web traffic, collect IP and email addresses. Some folks just do not see what is wrong with the idea.
There is trust involved here. And people trust Troy Hunt.
And of course you can download SHA ranges and do lookup offline: https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
He even previously encouraged to download via torrent, but now it seems there is a custom tool to download that data.
The offline lookup is just for passwords (the pwned passwords service) and is used to prevent people from using known breached passwords.
There is no offline availability for the Have I Been Pwned data on which emails were present in which breaches. Access to thus data is rate limited and paid API keys are needed for bulk access.
The downloads are the way to go IMHO. But this is coming a little too late. "HIBP" is already making money from "paid API" and other commercial nonsense. Profiting from data breaches. While posing as a hero, catering to a dedicated following. This is, IMHO, everything that is wrong with the web.
The issue I am raising is not whether a particular website operator claiming to be in posession of data breach dumps, that any web user can download themselves, is "trustworthy" or not. The point I am raising is the unnecessary data collection. If these downloads were available from the website from day one, then there would be no "paid API" nor partnerships with so-called "tech" companies or HN HIBP following. There would not be "HIBP" proponents trying to suppress any criticism of it, defending its every move despite its past mistakes. Most importantly, there would less/no need for "trust".
HIBP is a particularly ugly symbol of the problem of web intermediaries/middlemen and everything/anything "as a service". As expected, HN commenters will not like this viewpoint as they may themselves be trying to profit from such intermediation and the data collection it enables. They may have even convinced themselves they are doing good.
1 reply →
HIBP has been audited by independent 3rd parties.
> After everyone "has been pwned" then there is no need for HIBP.
You can be repeatedly pwned with updated/different information. It is not a one and done thing.
And people are born and die
1 reply →
Using data breach dumps to get web traffic and IP/email addresses under the guise of "helping" is lame. Then partnering with so-called "tech" companies that collect data as a "business". Data collection is the cause of the problem not the solution.