Over 772 million emails compromised in massive data breach
There are data breaches, and then there's the whole damn wall coming down, Equifax-style. And now, the one breach to rule them all - so far. A new cache of leaked data posted to a hacking forum is a real record breaker. Known as Collection #1, it contains an amazing 772,904,991 unique email addresses and over 21 million unique passwords, in plain text for all to see.
- Microsoft wants a world without passwords, starting with Windows 10
- How to protect your PC from ransomware
The hacked data was was first brought to light by security researcher Troy Hunt. Hunt runs Have I Been Pwned, a popular website which lets you check whether your own email or password has been compromised by any breach. And the odds are very, very high that it has.
According to Hunt, Collection #1 is the largest single collection of hacked details, and while a record breaker, it's worth noting that it's a compilation, a kind of master list aggregated from many smaller breaches, some dating back to 2015. The 772 million number doesn't count all the duplicate details Hunt scrubbed from the list (which included some of his own credentials) before uploading it to Have I Been Pwned.
The original data collection had a staggering 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords. Given that it said to be widely circulated on hacker forums and was available on fire-sharing site MEGA, there's a good chance that if you made the list, someone is going to abuse your credentials.
What is my data being used for?
A master list like this is most likely a resource for seem designed for use in 'credential-stuffing' attacks, in which hackers run an automated process that spams email and password combinations at an online service until it gets in. If you reuse passwords on different Internet services, then one cracked login combination will be tried with other services too.
What do to?
Well, first up, go to Have I Been Pwned and check your email there to find out if you've been compromised. Then change your password. Or better yet, the prevention being better than the cure, use a dedicated password manager instead of re-using passwords manually. We've recommended Dashlane, but there are other options, including 1Password (partnered with Have I Been Pwned) and LastPass.
${app-com.dashlane}${app-com.agilebits.onepassword}Have you been affected by the data breach? What steps do you recommend for online personal security?
Source: Troy Hunt
The new content in this breach is not huge. Most of this is a compilation of earlier breaches. The pwned website also has a password checker. My emails are in the lists, but none of my passwords are. Just checking my email addresses is no longer useful as I know they're out there already.