Jump to content
Tech 425

Massive breach leaks 773 million email addresses, 21 million passwords

Recommended Posts

Massive breach leaks 773 million email addresses, 21 million passwords

The best time to stop reusing old passwords was 10 years ago. The second best time is now.

2.jpg

It emerged that more than a billion unique email address and password combinations had been posted to a hacking forum for anyone to see in a mega-breach dubbed Collection #1.

The breach was revealed by security researcher Troy Hunt, who runs the service allowing users to see if they’ve been hacked called Have I been Pwned. He has now loaded the unique email addresses totalling 772,904,991 onto the site.

The data includes more than a billion unique email and password combinations – which hackers can use over a range of sites to compromise your services. They will do so by utilizing so-called credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a whole range of website login pages.

The data originally appeared briefly on cloud service MEGA and was later posted to a popular hacking forum. The Collection #1 folder is comprised of more than 12,000 files weighing in at 87 gigabytes.

Most concerningly, the protective hashing of the stolen passwords had been cracked. This means they are easy to use because they are available in plain text rather than being cryptographically hashed as they often are when sites are breached.

1.jpg

Should I be worried?

In a word: Yes. It’s a massive concern, not least because scale of this breach is huge: Yahoo’s breaches saw 1 billion and 3 billion users affected but the stolen data hasn’t actually resurfaced yet.

And unlike other huge hacks such as Yahoo and Equifax, this breach cannot be tied down to one site. Instead it appears to comprise multiple breaches across a number of services including 2,000 databases.

Hunt says there are many legitimate breaches in the directory listing, but he cannot yet verify this further. “This number makes it the single largest breach ever to be loaded into HIBP,” he adds in a blog.

What’s more, his own personal data is in there “and it's accurate”, he says. “Right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.”

Finding out if you’re affected

If you are one of the 2.2 million people that already use the Have I Been Pwned site, you should have received a notification: Nearly half of the site's users – or 768,000 – are caught up in this breach.

If you aren’t already a member, you need to visit Have I Been Pwned now. Once on the site, you simply need to type in your email address and search, then scroll down to the bottom of the page. The site will let you know if your email address is affected by this breach – and while you are there, you can see if your details were stolen in any others too.

https://haveibeenpwned.com/

To find out if your password has been compromised, you separately need to check Pwned Passwords– a feature built into the site recently. This feature also helps you to use strong passwords: if yours is on there, it’s safe to assume others are using it and your accounts could be easily breached.

https://haveibeenpwned.com/Passwords

What if my details are there?

Hunt says in his blog: “Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.”

If you have a bunch of passwords, checking all of them could be time-consuming. In this case, Hunt suggests 1Password's Watchtower feature which can take all your stored passwords and check them against Pwned Passwords in one go.

https://1password.com/

Most importantly, if your password is on the list, do not ignore it as it can be used in credential stuffing attacks mentioned earlier. Hunt says: “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.”

More generally, as the number of breaches and their sheer scale increases, it’s time to clean up your password practices. In addition to using two-factor authentication, passwords should be complex – such as a phrase from a favourite book or a line from a song. At the same time, security experts don’t rule out analogue books containing your password – as long as these are not stored on your device or with it.

If you take these measures into account you should be able to avoid using the same password across multiple sites. Ideally, start using a password manager to ensure you can remember these.

 

Have I Been Pwned

https://haveibeenpwned.com/

Pwned Passwords

https://haveibeenpwned.com/Passwords

1Password

https://1password.com/

 

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

Pretty cool, 10 year history of each time I got pwned

5XRo4Sm.png

 

Just happens I knew most of them and have recently been over My security....

  • Sad 1

Share this post


Link to post
Share on other sites

Yea wait until I found out who pwned me, They think I'm at War with Uranus, Well I shove them up Uranus A$$ ;)

  • Like 1

Share this post


Link to post
Share on other sites
52 minutes ago, SlaveTrainer said:

Very relevant. I've had two financial breaches this week. Quickly caught and reversed but could have been bad.

very good to hear u caught them and rectified it and nothing was stolen.. ;)

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×