Thursday January 17, 2019

773 Million Records from Massive Data Breach Uploaded to Have I Been Pwned

Troy Hunt is a Microsoft Regional Director and is the owner and creator of Have I Been Owned (HIBP). Today he alerted the security community to a massive 87GB data breach that the hacker community calls "Collection #1." It contains 773 million unique email addresses, 1.1 billion unique combinations of email addresses and passwords, and over 21 million unique passwords. The data dump is from a MEGA collection that a hacker community forum used to upload stolen credentials to as they shared their latest escapades. Since "Collection #1" has so many individual hackers associated with it, verifying all of the data breaches at individual companies is extremely time consuming. Curious consumers can use HIBP to check to see if their email address is part of the collection and they can use Pwned Passwords to see if their password has been compromised.

News Image

What's the Risk If My Data Is in There? I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.

Discussion