Watchtower and 41Q password repository breach

Superfandominatrix
Superfandominatrix
Community Member
edited July 2019 in Lounge

Hi guys... bad guys phished my personal data from a government agency and I was extended use of free a monitoring service. One element monitored is email addresses, which I configured. Something called the "41Q password repository" apparently contains passwords associated with at least two of my email addresses. The dates of the breach are different for the two email addresses as well, Dec 2017 and Feb 2019. I do not reuse passwords between sites, so with my 300 logins, I have 300 unique passwords for those logins. I also make use of the "+" trick that Gmail offers and where I can, my user ID is MyName+SERVICENAME AT gmail.com. I only configured my basic non-plus email address in the monitoring service, because I didn't want to enter 250 different MyName+SERVICE1-N AT gmail.com email combinations. My googling about this particular 41Q has not turned up much of anything meaningful. The monitoring service remediation recommendation is to change password for all logins using the flagged email address as user ID.

Question to you: is Watchtower integrated with this 41Q password repository? Could you describe the exactly what is being checked (email only, password and email, or password only) if it is?

Because of my use of the Gmail + trick, there are probably more email combinations affected by this issue. Also, since all my passwords are unique, just because my email address appeared, it does not mean a particular service was impacted.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • arturoaubry
    arturoaubry
    Community Member

    Hi @Superfandominatrix

    I'm not a 1Pass team member, but you can read about Watchtower and how it works in this article and also in this one.

    My understanding is that 1Password cross-matches with haveibeenpwned.com by creating a 40-character hash of each password and sending only the first five characters of each hash to haveibeenpwned.com. This service provides a list of vulnerable passwords that have hashes starting with those same five characters, and 1Password compares them locally on your device. So, if I'm correct, your email is not being checked.

    Hope that helps! :)

  • Superfandominatrix
    Superfandominatrix
    Community Member
    edited July 2019

    Let me put up the exact wording from the monitoring service... Thanks @arturoaubry for the clarification about the Watchtower data source. I should have recollected the Watchtower source. I could not find any evidence haveibeenpwned.com/ included records from this 4iQ Password Repository. A bit concerning how little is discoverable about this particular breach.

    Type: Breach

    Source: 4iQ Password Repository

    In January 2019, a file containing aggregated exposed data, was found in the underground communities exposing 2200000000 records containing emails and passwords. This notification is not attributed to any source, it refers to a finding in the underground market

    We recommend you log into and change the password to any accounts where you use this email address to log in. Furthermore, be aware of any suspicious emails asking for your personal information as they may be phishing attempts designed to fool you into providing sensitive information to malicious websites

    Discovered: February 18, 2019

  • Superfandominatrix
    Superfandominatrix
    Community Member
    edited July 2019

    Let me put up the exact wording from the monitoring service... Thanks @arturoaubry for the clarification about the Watchtower data source. I should have recollected the Watchtower source. I could not find any evidence haveibeenpwned.com/ included records from this 4iQ Password Repository. A bit concerning how little is discoverable about this particular breach.

    Type: Breach

    Source: 4iQ Password Repository

    In January 2019, a file containing aggregated exposed data, was found in the underground communities exposing 2200000000 records containing emails and passwords. This notification is not attributed to any source, it refers to a finding in the underground market

    We recommend you log into and change the password to any accounts where you use this email address to log in. Furthermore, be aware of any suspicious emails asking for your personal information as they may be phishing attempts designed to fool you into providing sensitive information to malicious websites

    Discovered: February 18, 2019

  • Superfandominatrix
    Superfandominatrix
    Community Member

    Finally found a number of links about this particular 41Q trove of user id / password combinations.

    https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14

    https://4iq.com/wp-content/uploads/2018/03/1.4-Billion-Clear-Text-Credentials-Trove-Report_2018.pdf

    A bit more digging, it seems possible Troy Hunt has folded these credentials into his HIBP service, but he has not explicitly declared this particular 4iQ breach, or perhaps described it differently.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited July 2019

    Hi @Superfandominatrix,

    While the data from the 4iQ breach may also be included in HIBP (I would suspect that most of it wasn't already there), HIBP or Watchtower wouldn't include 4iQ itself unless passwords for the 4iQ service were exposed.

    Consider the Equifax breach from last year. A huge about of data was exposed, but because it didn't include your passwords for using Equifax, it wouldn't make sense for us to advise people to change their Equifax passwords. Indeed, most of the victims of that breach had no direct relation with Equifax.

  • Superfandominatrix
    Superfandominatrix
    Community Member

    @jpgoldberg I don't think 4iQ is actually a service in the same way, for example, Hulu is. I think the particular trove of data was discovered by, or perhaps the discovery published through, 4iQ and the organization's name is used to describe the trove discovery. 4iQ might be in a competing / overlapping space along side Troy Hunt's HIBP. Per 4iQ's about website page they "curate the world’s leading data lake of compromised identities exposed in open sources in the surface, social, deep, and dark web".

    The PDF I posted above does indicate the data trove included user id / password credential pairs, and that the credential pair list was an amalgam of many prior data breaches, not a single breach from a single service source.

  • Superfandominatrix
    Superfandominatrix
    Community Member

    Finally found this statement from Troy Hunt, which explains why I could not find reference to 4iQ in his list of breaches. He's rather dismissive of their claims.

    https://www.troyhunt.com/making-light-of-the-dark-web-and-debunking-the-fud/

    The money quote from him about 4iQ is this:

    "And in case you're wondering why you haven't seen this loaded into HIBP, it's because it's already there:

    A random sample of 1k addresses from the 1.4B list shows that 99.6% of them are already in
    @haveibeenpwned. It's pointless loading this, I'll keep working through the source incidents so that people know where their data actually came from. 6/7 pic.twitter.com/0b5DLGf8fY
    — Troy Hunt (@troyhunt) December 10, 2017

    I'm fairly confident that whatever this 3rd monitoring service is trying to tell me has been resolved by closing out issues already identified in 1PW Watchtower.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2019

    @Superfandominatrix: Indeed, HIBP aggregates the contents of all public password dumps. So if "41Q"/"4iQ" is doing the same there would be overlap (though HIBP is more exhaustive than any other databases I've seen). We are not affiliated with the entity you're referring to, but I'm not sure it matters either way: a password repository would containing passwords from previous breaches being breached would not be a security risk; all of those passwords were already compromised in the first place.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Superfandominatrix: Ah, didn't see you'd posted again there. That's very interesting. Thanks for the update!

This discussion has been closed.