What are they going to do, steal my mail.

When my bank says why don't you do online banking, jeez. This.

Note: The source is unconfirmed. However, it's still a smart idea to enable two step if you haven't already.

If anybody were actually smart enough to hack into my email, they'd search through my stuff only to be subjected to about half a million crappy puns.

When data breaches like these are so commonplace, you basically have to assume that the password hashes for EVERY account on EVERY service you use are fully visible to everyone from the moment you set them. No data security technician on the planet can do their job correctly it seems.

Depends on the size of the botnet.

The security personnel isn't the issue, people are. People are lazy and uneducated which creates a weak link somewhere that is almost impossible to contain. Also, like any other department or out-sourcing company, they are most likely given an inhuman deadline and cheap budget to get the job done that corners have to be cut, creating further weak links.

For corporations, this isn't really a technical issue or even a PR issue, it's economical. If it's cheaper to have bare minimum security that is good enough and when a security leak happens, they quickly respond by hiring crisis management, PR and security consultants until the issue is fixed that is what they are going to do and who can blame them? They are for-profit entities.

What one could wish for though is that the security people could created a standard of strategy how to prepare for these situations rather than rely on the clean up strategy I mentioned. The standard is also necessary to avoid "My company only needs to be a little more secure than the competition"-attitude.

And then they'd die from an overdose -- it'd be just like that Monty Python sketch.
Ah, I hadn't considered that. But still, that would take an absurd amount of processing power. And wouldn't an attack of that scale ring all sorts of "alarm bells"?

I can understand users being the weak link of their own account's security, but come on, accessing millions of database records at once is an operation that should require some kind of physical key-in-hand authorisation at the company headquarters.

I wish there was a legal obligation to publish the details of significant break-ins like this, with a summary of steps taken by the victim company to protect themselves in the future. At least then people could make informed choices instead of being fed the same "shit happens lol, just change your password" rhetoric every time.

We don't know how long it took. I imagine that many millions of people are logging in each day, so adding a few percent to it might not ring bells. I'm not sure. I imagine that those who try this have some awareness of the limits.

I should try running a game of Password on the forum. I wonder how that'd go.

This?

Anyway, I hope they warn all users that might have been affected. Changing all passwords would be a pain in the ass.

How can someone get access to my account if I have two-step with my phone?

edit: well, I just gave myself the strangest, most random password (I just wrote a bunch of shit down) that I probably have no way of knowing by heart. If someone really wants to attempt my Hotmail with its 16 letters numbers and symbols then be my guest. I doubt China or Brazil are going to get much intel from me though lol.

Once the salt is figured out, calculating hash checks for passwords would allow you to bulk check the 200,000 most common passwords and find instant weak passwords for emails.

However if you don't use a common password, or variants, and if they require a unique salt per user (say, the email is also part of the salt) so your password would perhaps convert to: emailservice.saltemail.password.salt2, which means you can't brute force millions at once (on a single machine), unlike in other systems with lower security where it would be closer to: salt.password.salt2, and calculating a single hash could be checked against all accounts for an identical match.

Tens of thousands or millions of computers unknowingly working together to crack passwords...

they can't - they may have ( potentially) your password but they wont be able to access your actual account nor to change your password. Also the source ( i just checked the linked metro article for now ) is quite unspecific about the "quality" of the leak/hack - meaning if the hackers somehow got username/password combination in clear text (which should not be possible) or got the username/password combinations due to a coordinated bruteforce attack (which shouldn't be possible either as it should have been detected really easily given the cited scale - "97 million accounts") or if they only obtained the email addresses together with encrypted/salted passwords . So ya until there is more information about this hack i would be rather relaxed especially if using 2step / and/or a robust password.