Breach compilation notifications 20 Dec 2017
On Tuesday 19th, AusCERT notified a large number of members whose credentials had been found online.
This is a regular service AusCERT provides, but in this case it is a special event based on a large credential compilation. It contains 1.4 billion credentials.
How do I open this file?
Suppose the file you've received is named firstname.lastname@example.org. This is an encrypted zip file.
You will need PGP software to decrypt the file, e.g. GPG.
GPG4Win GUI: Open the file in Kleopatra and enter the decryption passphrase. If Kleopatra tells you "error retrieving audit log: decryption failed", instead open a command prompt and follow the below instructions.
GPG command-line: gpg email@example.com and enter the decryption passphrase.
This will create firstname.lastname@example.org. (note no "asc")
Then unzip the file. It contains one or more text files with the credentials we've found.
Where do I get the decryption passphrase?
Access AusCERT: Symmetric key decryption details and log in with your member account.
We can't log in to the member portal.
If you know your AusCERT privileged contact/s in your organisation, please contact them for access.
Otherwise, please contact email@example.com to begin regaining access.
If you have two-factor authentication set up, recall that this is through a One-Time Password app and not an SMS.
Individual files are named by the domain they correspond to. Some files end with '.com', which Windows interprets as a command file, or '.au', which Windows interprets as an audio file.
We'll send files with the '.txt' extension in future.
Please open all files in a text editor, such as WordPad or Notepad++.
Where did you get this data?
AusCERT found these credentials in a large collection online, which aggregates other data breaches. It is likely that your users' credentials were stolen in other breaches such as LinkedIn (for instance, Have I Been Pwned lists famous breaches).
Have we been breached?
It's hard to say.
The majority of the data will have come from attacks on other companies' databases in the past. Some may be from phishing attacks directly against your users. With a data set this large, individual small attacks can be compiled into what looks like one more substantial attack.
It is unlikely, but possible, that your organisation's database is the source of these credentials.
If any of these credentials were reused on internal company systems, and are still active, then there is the potential for them to be abused.
What do we do now?
AusCERT recommends ensuring these credentials are no longer valid within your organisation. Consider contacting users to advise they should change their password anywhere it's still in use.
« Back to all blog entries