Collection #1
Troy Hunt published this morning: a 773-million-email, 21-million-password aggregation in public circulation. The aggregate exposed-credential population continues to grow.
Quora
Quora disclosed yesterday: 100 million users affected in a breach detected on Friday. The disclosure is fast and the password posture is sound. A useful contrast with Marriott.
Reddit, two months in
Reddit disclosed yesterday: an attacker bypassed the company's SMS-based two-factor authentication and accessed historical user data including a 2007 backup. The lesson is about SMS as a second factor.
Twitter and the password log
Twitter disclosed yesterday that a bug had logged user passwords in plaintext to an internal log file. The disclosure is unusually clean and the lessons are about logging hygiene.
Yahoo: half a billion
Yahoo confirmed today: a 2014 breach affecting at least 500 million accounts. State-actor attribution. The disclosure timing during a Verizon acquisition is its own story.
LinkedIn 2012, four years late
The LinkedIn breach from 2012 has resurfaced, and the population is not 6.5 million as originally disclosed. It is 167 million. Credential reuse just got worse.
1.2 billion credentials
The Hold Security disclosure on Tuesday — that a Russian group has accumulated approximately 1.2 billion username/password pairs from approximately 420,000 websites — has produced more debate about disclosure economics than about the underlying credentials.