A database that contained almost 773 million email accounts and more than 21 million unique passwords was recently leaked to an online hacking forum in a breach called “Collection #1” that has been called the “largest breach ever.”
Troy Hunt, who runs the hack-security website “Have I Been Pwned” first reported the breach on Jan.17. The website, a breach-notification service, lets people check whether their emails and passwords have been exposed, and from which websites the data was leaked from.
Hunt says the Collection #1 breach is the “single largest breach ever” to be reported by the Have I Been Pwned service. Wired.com reported that this is “the largest breach to become public.”
The breach involved 87 gigabytes of data including almost 2.7 billion rows of email addresses and passwords spanning at least 772,904,991 email accounts and 21,222,975 unique passwords. The data is allegedly a collection of more than 2,000 leaked databases.
“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows,” Hunt wrote. “It’s made up of many different individual data breaches from literally thousands of different sources.”
The date of the breach was reported as Jan. 7. The data was uploaded to the popular cloud service MEGA, which has since been taken down. The data was also being distributed on a popular public hacking forum.
“They weren’t even for sale; they were just available for anyone to take,” Wired.com noted.
Among the leaked data were passwords that have been “dehashed,” meaning that a security barrier which scrambles or “hashes” a password had been rendered ineffective, thereby making the password plain text and easily usable by a hacker.
“What I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
Hunt said that about 140 million emails and 10 million passwords in the Collection #1 breach are new to the website’s database, which means they had not been compromised in previous data breaches.
Have You Been Compromised?
Because the emails and passwords in Collection #1 had been made public, Hunt was able to upload them to the Have I Been Pwned database. That means you can find out if your emails or passwords have been affected.
To do so, head over to the Have I Been Pwned website.Enter your email address to see whether your email has been affected in the Collection #1 breach, as well as previous breaches. You can also check whether any of your passwords have been exposed by heading to the Passwords tab of the website.
How to Protect Yourself
You should change the passwords on any email accounts that have been leaked. Also, if the password entered had been seen, you should stop using that password and change it for the accounts you have been using it for.
Hunt said that the latest Collection #1 breach appears to be geared for use in “credential-stuffing attacks,” where hackers try different email and password combinations at a certain website or service via an automated process. This makes people who reuse passwords across different accounts on the internet especially vulnerable.
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” Hunt wrote. “People take lists like these that contain our email addresses and passwords, then they attempt to see where else they work.”
As such, going forward, you should not use the same passwords across multiple sites.
To protect yourself one big step further, you should use a password manager such as 1Password or LastPass, which helps to store a random and unique password for every new account/website you use.
Jake Moore, a cybersecurity expert at ESET UK, told The Guardian, “[The password managing applications] help you generate a completely random password for all of your different sites and apps.
“And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.”
Wired.com also advises that you should enable app-based two-factor authentication on as many accounts as you can so that a password isn’t your “only line of defense” against hackers.