My Email List A .rar
And then this is where it gets interesting: The first folder has 14,669 .rar files in it whilst the second has a further 8,949 .rar files giving a grand total of 23,618 files. This is where the "more than 23,000 hacked databases" headlines come from as this is how many files are in the archive. Because it's relevant to the story and especially relevant to people who find their data in this breach via an HIBP search, I'm going to list the two sets of files in their entirety via the following Gists:
my email list A .rar
Let's drill deeper now and take a look inside one of these files and I'm going to pick "chordie.com 1.515.111 [HASH+NOHASH] (Arts)_special_for_XSS.IS.rar" simply because it's one of the larger ones. Here's the contents:
Taking that first and largest file from the archive, there are over 1.5M lines comprised of email address and MD5 hash pairs. I'm going to highlight one particular row that used a Mailinator address simply because Mailinator accounts are public email addresses where there is no expectation whatsoever of privacy. Here it is:
The "NotFound.txt" file consists of email address and MD5 hash pairs and for each hash I randomly Googled, no plain text result was found so this appears to be hashes that weren't cracked. The "Rejected.txt" file contained malformed email addresses and "Result(HEX).txt" had a small number of email address and password hex pairs. This same pattern appeared over and over again across the other archives and it gives us a pretty good idea of what the data was intended for: credential stuffing.
I extracted all the files, ran my usual email address extraction tool over it (effectively just a regex that can quickly enumerate through a large number of files), and found a total of 226,883,414 unique addresses. A substantial number, although not even in the top 10 largest breaches already in HIBP.
But is it legit? I mean can we trust that both the email addresses and passwords from these alleged breaches represent actual accounts on those services? Let's take the example above which allegedly came from chordie.com, a guitar forum. Over to the password reset and drop in the Mailinator address from before:
Consequently, there is a very high likelihood this data is legit. I haven't notified Chordie as they're one of more than 23k sites listed so clearly disclosure in the traditional sense isn't going to work, at least not where I privately contact the company. But each time I checked, the pattern repeated itself; firstname.lastname@example.org has an account on fullhyderabad.com:
In that example, the data was found in a file called "www.sandhuniforms.com 54.629 [NOHASH].txt" and true to its name, it appears from the forgotten password email that they were never even hashed in the first place. Same again for email@example.com on acdc-bootlegs.com:
I'm conscious I'm showing actual email addresses and either passwords or reset tokens in the images above, but again, these are very clearly test accounts with no expectation of privacy. I'm showing these for impact; this is a serious set of data that includes actual breaches that are almost certainly unknown by the site operators.
At least one other site in the collection was previously (publicly) known to have been breached and in this particular case, was already in HIBP. For example, "hookers.nl 287.560 [HASH+NOHASH] (Adult)_special_for_XSS.IS.rar" is already in HIBP as a sensitive breach. I'm sure there are probably others too so inevitably this isn't 100% new data, let's see if we can put a number on that:
I was curious as to how much of this data had been seen in other breaches before and if there was an obvious trend. For example, is this largely just data from, say, the Collection #1 credential stuffing list I loaded early last year? I took a slice of addresses from the 226M I'd extracted and started running them against HIBP. Here's what I found after checking over 74k addresses:
Given the number of individual breaches, the legitimacy of the data plus the vast number of previously unseen email addresses and passwords, I've loaded it all into HIBP. The lot - both emails and passwords (note: these go in as separate archives and never as pairs, read more about Pwned Passwords here). As with other breaches without a single clear origin, this means that people may find themselves pwned and not know which service leaked their data. It also means they may find their password breached and not know which service leaked it. But it also doesn't matter - here's why:
But there is a gap that goes beyond the risks associated with exposed passwords alone, and that's the personal impact of other exposed data. If, for example, you filled a bunch of other personal information into Chordie then it would be reasonable to assume that's now in the possession of other parties and you would quite rightly want to know about that. This is where we really need the sites indicated in those two Gists above to come forth and I suggest the following: If they're on the list, test a sample set of their own subscriber's email addresses on HIBP. If you're worried about submitting someone else's personal info to my service, grab some Mailinator addresses and check those. If they come back with hits against the Cit0day breach then that's a very strong indication of breach.
Along with opening RAR and other compressed file types, WinZip lets you encrypt files using 128-bit and 256-bit AES encryption. As a bonus, users can also resize pictures and add watermarks. You can also share or save your file instantly using email, clipboard, or cloud storage services like Dropbox or Google Drive.
Most of the options we listed above are available for both Mac and Windows. However, we also have a separate guide on other options for opening RAR files if you own a Mac that you check if you are a Mac user.
Extracting and launching files on an Android phone is a bit complicated, but there are quite a few free and paid apps that can make the process easier for you. If you use your phone for work often, then it is a good idea to get your hands on an efficient RAR extractor. For a list of the best options, head over to our guide on the best RAR file extractors for Android.
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can inspect email attachments by setting up mail flow rules (also known as transport rules). Mail flow rules allow you to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages based on the content or characteristics of the attachments. Here are some attachment-related tasks you can do by using mail flow rules:
Exchange Online admins can create mail flow rules in the Exchange admin center (EAC) at Mail flow > Rules. You need permissions to do this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.
The following table lists the file types supported by mail flow rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of mail flow rules is listed later in this article.
Any attachment > file name matches these text patternsAttachmentNameMatchesPatternsThis condition matches messages with attachments whose file name contains the characters you specify.Any attachment's file extension matches Any attachment > file extension includes these wordsAttachmentExtensionMatchesWordsThis condition matches messages with attachments whose file name extension matches what you specify.Any attachment is greater than or equal to Any attachment > size is greater than or equal toAttachmentSizeOverThis condition matches messages with attachments when those attachments are greater than or equal to the size you specify. Note: This condition refers to the sizes of individual attachments, not the cumulative size. For example, if you set a rule to reject any attachment that is 10 MB or greater, a single attachment with a size of 15 MB will be rejected, but a message with three 5 MB attachments will be allowed.The message didn't complete scanning Any attachment > didn't complete scanningAttachmentProcessingLimitExceededThis condition matches messages when an attachment is not inspected by the mail flow rules agent.Any attachment has executable content Any attachment > has executable contentAttachmentHasExecutableContentThis condition matches messages that contain executable files as attachments. The supported file types are listed here.Any attachment is password protected Any attachment > is password protectedAttachmentIsPasswordProtectedThis condition matches messages with attachments that are protected by a password. Password detection only works for Office documents, .zip files, and .7z files.Any attachment has these properties, including any of these words Any attachment > has these properties, including any of these wordsAttachmentPropertyContainsWordsThis condition matches messages where the specified property of the attached Office document contains specified words. A property and its possible values are separated with a colon. Multiple values are separated with a comma. Multiple property/value pairs are also separated with a comma.Note