There’s no shortage of data breaches these days, but this one should make you sit up and pay attention. The newly discovered “Collection #1" is the largest public data breach by volume, with 772,904,991 unique emails and 21,222,975 unique passwords exposed.
The breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach. In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases. The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords.
So what does this mean for the average person? According to Hunt, it means compromised email and password combos are more vulnerable for a practice called credential stuffing. Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos. Plus, around 140 million emails and 10 million passwords from Collection #1 were new to Hunt’s HIBP database—meaning they’re not from previously reported megabreaches.
If you’re curious if your emails and passwords are part of the Collection #1 breach, you can check at HIBP. You can also manually search to see which of your passwords have been exposed. I checked, and yes, my personal email was part of the Collection #1 breach, along with multiple no-longer-in-use passwords. Needless to say, if you can find your password in the HIBP database, you should change it immediately.
The takeaways from the Collection #1 breach, however, are the same good security practices as always. Don’t reuse passwords, enable two-factor authentication, and if you’ve been waiting to get a password manager, now is the time to bite the bullet.
Update 3:42pm ET: It gets worse. Security reporter Brian Krebs reports that the Collection #1 trove is just a single offering from a seller who claims to have at least six more batches of data. Also, the Collection #1 data is said to be 2-3 years old, so not exactly the freshest but potentially still valuable to malicious actors. Including the Collection #1 data, Krebs writes, this person is selling “almost 1 Terabyte of stolen and hacked passwords.”