A database that contained almost 773 million email accounts and more than 21 million unique passwords was recently leaked to an online hacking forum in a breach called “Collection #1” that has been called the “largest breach ever.”
The breach involved 87 gigabytes of data including almost 2.7 billion rows of email addresses and passwords spanning at least 772,904,991 email accounts and 21,222,975 unique passwords. The data is allegedly a collection of more than 2,000 leaked databases.
“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows,” Hunt wrote. “It’s made up of many different individual data breaches from literally thousands of different sources.”
The date of the breach was reported as Jan. 7. The data was uploaded to the popular cloud service MEGA, which has since been taken down. The data was also being distributed on a popular public hacking forum.
“They weren’t even for sale; they were just available for anyone to take,” Wired.com noted.
Among the leaked data were passwords that have been “dehashed,” meaning that a security barrier which scrambles or “hashes” a password had been rendered ineffective, thereby making the password plain text and easily usable by a hacker.
“What I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
Have You Been Compromised?
Because the emails and passwords in Collection #1 had been made public, Hunt was able to upload them to the Have I Been Pwned database. That means you can find out if your emails or passwords have been affected.How to Protect Yourself
You should change the passwords on any email accounts that have been leaked. Also, if the password entered had been seen, you should stop using that password and change it for the accounts you have been using it for.Hunt said that the latest Collection #1 breach appears to be geared for use in “credential-stuffing attacks,” where hackers try different email and password combinations at a certain website or service via an automated process. This makes people who reuse passwords across different accounts on the internet especially vulnerable.
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” Hunt wrote. “People take lists like these that contain our email addresses and passwords, then they attempt to see where else they work.”
As such, going forward, you should not use the same passwords across multiple sites.
To protect yourself one big step further, you should use a password manager such as 1Password or LastPass, which helps to store a random and unique password for every new account/website you use.
“And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.”