Data breaches have been kind of norm for the past few years but the most recent one revealed yesterday is the mother of all data breaches.
The massive data breached named “Collection #1″ has exposed emails and passwords of ..wait for it …….. 773 Million emails and 21 Million passwords of users online. The “Collection #1″ data breach is the largest one by volume and has exposed 772,904,991 unique emails and 21,222,975 unique passwords. This is the largest one after the Yahoo data breach that exposed all 3 billions of its users.
Initially uploaded to the popular cloud service MEGA and later posted to a popular hacking forum, Collection #1 is a file comprising of 12,000 separate files that contain 87GB of data. This colossal breach has raised some serious questions regarding online security.
Collection #1 was first discovered by security researcher Troy Hunt who runs the site “Have I Been Pwned (HIBP)” which allows users to see if they’ve been hacked. The emails and passwords combination exposed, can be used by hackers to compromise users services ranging to various sites and services.
So that’s the big one and all the details are in that blog post. This also means an updated Pwned Passwords which has gone from 517M records to 551M so there’s a bunch of new ones in there https://t.co/pNWbgtnjiz
— Troy Hunt (@troyhunt) January 16, 2019
hSince the first leak Troy Hunt has loaded 772,904,991 unique emails to the site. According to him more than a billion (1,160,253,228 to be exact) has been exposed including emails and passwords combination.
The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords. Troy said that his own account has been compromised too as he found out the password he uses few years back was in the files and it was accurate. Troy said the following in his blog post:
“Right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.”
So what does this all account for the common users who are online? According to Hunt, it means compromised email and password combos are more vulnerable for a practice called credential stuffing. Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. Since Collection #1 is a huge database with more than 2.7 billion combos, it is troubling case.
Should you be worried?
The sale of some 773M email addresses and 21M unique passwords on a hacking forum has been dubbed the biggest ever. People are freaking out. But according to the guy selling this, it’s neither new nor the biggest. It’s about 2-3 years old https://t.co/TQxoSwpfSu pic.twitter.com/kpePzoOIqb
— briankrebs (@briankrebs) January 17, 2019
How can I know if I have been hacked and what to do if I have been?
|Turns out I have been Pwned.|
- First sensible to do will be to change the password immediately even if the password hasn’t been compromised.
- Secondly, use two factor authentication. Meaning use your second email or your numbers to authenticate your password while logging in sites.
- Last but not the least, use password managers like Lastpass, 1Password or Dashlane to create complex passwords and phrases which will provide strong security.