These days, massive data breaches seem just like a common, even boring, fact of life. But occasionally, a breach comes along that gives people pause. This is one such case.
The so-called “Collection #1” is the mother of all breaches. It’s quite literally the largest single data breach by volume that has been discovered, containing about 772,907,991 unique email addresses and 21,222,975 unique passwords, Wired reported.
Collection #1 was first spotted by Troy Hunt, a security researcher who runs popular site Have I Been Pwned. In a blog post, Hunt said that he found a massive folder of about 12,000 separate files on cloud platform MEGA. It contained nearly 87GB of data in total.
All of that data, thought to be compromised of about 2,000 separate databases, was apparently posted to a popular hacking forum. Worse still, those databases contained fully exposed, “rehashed” passwords.
There are about 2.7 billion username/password combos in the batch. Of those, about 140 million emails and 10 million passwords seem to be new — Hunt notes that he did not have them in his Have I Been Pwned database.
Hunt notes that this means emails and passwords on that list are much more vulnerable to credential stuffing. Basically, that’s a technique in which compromised login credentials are used to hack into other accounts associated with them.
It’s especially of concern to users who use the same username and password across multiple sites. Which, by the way, is something you shouldn’t be doing.
If that wasn’t enough to keep you up at night, cybersecurity journalist Brian Krebs added some more bad news.
According to Krebs, Collection #1 is just one batch of data being offered by a seller who claims to have at least six more. All in all, Krebs says the seller has “almost 1 terabyte of stolen and hacked passwords.”
What Do I Do?
Also, if you’ve put off cybersecurity best practices, now is a good time to start. Use unique passwords for every site, enable two-factor authentication wherever you can, and consider using a password manager.