Time to change your password: “Collection #1” data breach is one of the largest on record

It may be time to change your passwords again.

I hope your password wasn’t “password”

Did you receive an email this morning informing you that your personal information was exposed in a data breach called Collection #1? You’re not alone, and it’s a reminder to take precautions like enabling two-factor authentication and signing up for a password manager. And it might also be time to reset your password.

Security researcher Troy Hunt, who runs breach notification site Have I Been Pwned (HIBP), first reported the Collection #1 exposure. The massive trove of leaked data, which was posted to a hacking forum, includes some 772,904,991 unique email addresses and 21,222,975 unique passwords, Hunt said.

“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows,” Hunt explained in a Thursday blog post. “It’s made up of many different individual data breaches from literally thousands of different sources.”

Hunt said he first caught wind of the breach last week when several people pointed him to a suspicious collection of files on the cloud service Mega. The 87GB collection, which contained more than 12,000 files, has since been removed from Mega, but found its way to a “popular hacking forum,” he wrote.

“My own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “If you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”

That tool won’t tell you which, if any, of your passwords leaked, but Hunt does offer a feature that lets you manually check your current passwords against a list of known breached ones. On the HIBP site, click “Passwords” at the top, then enter the password you’re concerned about it (HIBP won’t see your actual password, according to Hunt).

Security experts have discovered what very well could be one of the largest data breach of all time, a collection of 772,904,991 unique emails and 21,222,975 unique passwords.

Called “Collection #1,” the breach was initially reported by Troy Hunt and seemingly comes from many different sources, not a single corporate entity. And it’s an especially dangerous one as he says it creates 1.16 billion “unique combinations of email addresses and passwords”.

People can check to see if their accounts and passwords were compromised at Hunt’s “Have I Been pwned?” Website.

The sheer volume of the data was contained in 12,000 separate files clocking in at 87 GB of data on hacking forums. What’s especially troubling to security experts is the files contain “dehashed” passwords, meaning hackers were able to circumvent methods used to scramble those passwords into unreadable strings and expose them.

To put this massive breach into perspective, it’s not on the scale of Yahoo’s breach, which ultimately compromised 3 billion user accounts, but it’s significantly higher than the Marriott/Starwood Hotel breach of last year, which saw 383 million records accessed, or the 117 million users whose information was stolen from LinkedIn in 2012.

“Here’s How to Find Out if Your Email Was One of the 773 Million Exposed in Massive Data Breach”. Fortune Media IP, US. Retrieved January 17, 2019.

“‘Collection #1’ Breach Exposes a Record 773 Million Email Addresses”. PC Mag, US. Retrieved January 17, 2019.