In one of the largest data breaches ever, more than 770 million email addresses and 21 million unique passwords were posted to an unnamed hacking forum last month. This new breach, which has been dubbed “Collection #1,” was uncovered by digital security expert Troy Hunt.
Details on the Collection #1 breach
The Collection #1 breach includes a raw data set of email addresses and passwords collected from thousands of different sources, according to Hunt. Initially, the suspicious files were uploaded to the file-hosting site MEGA. They were removed later, but they are now available on an unnamed hacker forum.
New breach: The “Collection #1” credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
The 87 GBs of leaked data represent about 1.16 billion unique combinations of email addresses and passwords stored in more than 12,000 separate files. Most of the email IDs in the Collection #1 breach have appeared in previous breaches, like the 2008 MySpace hack and 2016 LinkedIn hack.
Even the name “Collection #1” implies that the data has been compiled from several different sources. Since it is a massive collection from multiple sources, it is being described as the largest collection of breached data in history. Although the security expert said much of the data is from as early as 2008, he added the about 140 million email addresses in the latest breach are new. These new IDs may have come from one big unreported breach, several small ones or a combination of both.
Should you be worried?
Although some consider it to be to be the largest data breach in history, in terms of volume, it is second to Yahoo’s data breach which affected billion of users. However, the data stolen in the Yahoo breach hasn’t surfaced yet. Additionally, unlike the Yahoo and Equifax breaches, the Collection #1 breach is not limited to one site. Instead, it is a collection of multiple breaches from multiple services covering 2,000 databases. Hunt notes that directory listing includes many legitimate breaches, making it the “single largest breach ever to be loaded into HIBP.”
Email address != person.
God job a load of that were automated bots using the variable
— Happy Loaf (@Happy_Loaf) January 16, 2019
The data breach also includes previously encrypted passwords that have been cracked and converted to simple text. This breached data is not up for sale. Instead, it was dumped on a popular hacking forum, so it is accessible to anyone who knows how to access such data.
“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt told WIRED. “There’s no obvious patterns, just maximum exposure.”
Even though the breached data does not include social security or credit card data, hackers can still carry out credential-stuffing attacks using various combinations of emails and passwords to spam websites like Netflix, Facebook and others. Thus, it is recommended that you check if your email address and passwords have been compromised or not.
How to check if your email ID and password were breached
To check if your data is safe, there’s a free service provided by Hunt’s Have I Been Pwned site. Once you are on the site, enter your email address and press search, and then scroll down to the bottom. The service will let you know if the email you entered is included in the breach or not. You can also find out if your data has been compromised in any previous breaches.
You can also check if your password has been compromised. To do this, go to the Pwned Passwords feature that has been recently added to the site. If your password is there, it means it’s not safe anymore. You can use the Pwned Passwords feature to help you come up with strong passwords.
If you have several passwords, checking them individually could take time, so Hunt recommends using 1Password’s Watchtower feature. The feature checks all your passwords in one go against the Pwned Passwords database.
Hunt says it is difficult to align an indexed password to any user, but he recommends changing leaked passwords straight away.
“Whilst I can’t tell you precisely what password was against your own record in the breach………. If one of yours shows up there, you really want to stop using it on any service you care about,” the security expert says.
Hunt also recommends using a password manager or the age old method of storing passwords offline.
“It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web,” Hunt says.
Users are also advised to change their password practices and opt for two-factor authentication. Passwords should also be complex, like a mix of characters and numbers and symbols or a line from a song. To ensure you always remember your passwords, keep a record of them, but not on your device.