More than 772 million unique email addresses and over 21 million unique passwords have been leaked and posted to a hacking forum, according to security researcher Troy Hunt. This is a massive breach of data by any estimation. However, there's no need to panic just yet, there are some simple steps you can take to protect your online privacy.
The data breach was first reported by Hunt, who wrote on his website that multiple people directed him to a large collection of files on the popular cloud service MEGA. Although the data from this service has since been removed, the breach – which Hunt called Collection #1 – included over 12,000 separate files and over 87GB of data.
It’s tough to pin down exactly where this trove of information came from, but it appears to be an aggregation of breaches from thousands of different sources, with 140 million new email addresses that his site “Have I Been Pwned” has never seen before. It's important to note that much of this data is compiled from old data breaches, which means the information was breached a while ago and you've likely been notified or have changed your password since then. If you haven't, now is definitely the time to do so.
“In terms of the risk this presents, more people with the data obviously increases the likelihood that it'll be used for malicious purposes,” wrote Hunt on his site.
"In some ways, it's nothing new," Hunt added to IFLScience. "It's a collection of credentials from old breaches that people have been passing around for years. But what makes it more serious is how broadly available it is to anyone who wants it and increasingly, how ubiquitous automated tools designed to use lists like these and break into accounts are."
Hunt believes the mega-list was made with “credential stuffing” in mind, essentially when hackers randomly input breached username/password pairs into a site to gain access to user accounts. Such a technique preys particularly on those who reuse their credentials for multiple services and do not use two-factor authentication.
If you’re worried your data may have been compromised, here are some steps to take.
Have I Been Pwned?
Hunt runs “Have I Been Pwned” – a site that allows you to check whether your email has been compromised. Go ahead, search to see if your email address pops up. If it does, change your password.
To check if your password may have been exposed in a previous data breach, go to Pwned Passwords. If your oh-so-secure password does pop up, you’re likely at a greater risk of it being exposed.
Hunt built this site over 18 months ago to help people check whether or not the password they'd like to use was on a list of known breached passwords. The site does not store your password next to any personally identifiable data and every password is SHA-1 hashed. For more information, click here.
Other Safety Tips
Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use. Next, enable two-factor authentication. Lastly, keep abreast of any breaches.
Where The Data Is From
“The post on the forum referenced ‘a collection of 2,000+ dehashed databases and Combos stored by topic’ and provided a directory listing of 2,890 of the files which I've reproduced here,” wrote Hunt on his website. “This gives you a sense of the origins of the data but again, I need to stress ‘allegedly.’ Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all.”