January 22, 2019
Security researcher Troy Hunt, who offers a way to search if your email addresses or passwords have been breached, maintains Collection #1, the largest breach ever, which holds 772,904,991 unique emails and 21 million unique passwords, all of which have been recently posted to a hacking forum. Those numbers represent a “cleaned-up” version of the raw data, which comprise 2.7 billion rows of email addresses and passwords, including over one billion unique combinations of hacked emails and passwords.
Wired reports that the hacked data appeared on the cloud service MEGA and “persisted on what Hunt refers to as ‘a popular hacking forum’,” in a folder dubbed Collection #1 containing over 12,000 files equaling over 87 gigabytes. The data “claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked,” which means they become plain text messages that are easier for hackers to use.
In Collection #1, an estimated 140 million email accounts and over 10 million unique passwords are new to Hunt’s database.
Hunt’s site Have I Been Pwned offers anyone a way to find out if his or her information has been compromised, almost a certainty given the numbers. “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” said Hunt. “There’s no obvious patterns, just maximum exposure.”
Wired deems the breach the largest ever to become public, “second only to Yahoo’s pair of incidents — which affected 1 billion and 3 billion users, respectively — in size.”
Hackers will use the data in credential-stuffing attacks, in which bots “throw email and password combinations at a given site or service.” Particularly vulnerable are people who reuse passwords across the Internet. But everyone is at risk because the email addresses and passwords were stored, “not in some dark web backwater, but on one of the most popular cloud storage sites … and then on a public hacking site,” available for free.
Forbes advises everyone who has been compromised to follow some simple guidelines: First, it warns that the breach is “a massive concern” because it “appears to comprise multiple breaches across a number of services including 2,000 databases.” It strongly recommends visiting the Have I Been Pwned site as soon as possible to check email addresses and passwords.
“Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed,” said Hunt. “If one of yours shows up there, you really want to stop using it on any service you care about.”
Last, Hunt recommends signing on to 1Password’s password management service, whose Watchtower feature will check all your stored passwords automatically against the Have I Been Pwned site. “As the number of breaches and their sheer scale increases, it’s time to clean up your password practices,” says Forbes. And follow the advice from the experts to use two-factor authentication and complex passwords based on a phrase from a favorite book or a line from a song.