New Massive Security Breach Exposes
Security researcher Troy Hunt, who maintains the website Have I Been Pwned for those who want to know if their email address and/or passwords have been compromised in any security breaches (spoiler alert: Yup) has released a report on a truly massive breach of some 773 million records. Even worse, that’s actually the net impact after Hunt attempted to strip the data set of duplicates and useless fields that didn’t actually contain email addresses or associated passwords.
The monster data dump goes by the prosaic “Collection #1” and contains 1.16B unique combinations of email addresses and passwords, but only 772 million unique email addresses. It’s the largest data dump to ever be loaded into Have I Been Pwned, and it represents a sort of meta-breach collection rather than the results of any single security exploit or corporate security shortfall.
The data in the breach comes from a variety of sources and Hunt stresses that not all of the ‘breaches’ have been verified, which is to say that not every database claimed to be represented in the hack may actually be represented in the hack. If you’ve ever explored the leaked material around your own email address, you’ve probably realized that not every leak contains accurate information — while I’ve seen my own email associated with passwords that I’ve used in the past, I’ve also seen emails I’ve used associated with passwords I’ve never used with those accounts.
Hunt’s blog post contains instructions for how visitors can use Have I Been Pwned, as well as its companion application, Pwned Passwords. You can not only search for your email address to see if it’s been breached, but you can also check to see if your password has been seen. Hunt also discusses the ethical implications of creating a website where people check to see if their passwords have been leaked by entering them — check his blog post for more of his thoughts on the topic. It’s not crazy to have concerns about this issue, but the benefits may outweigh the risks.
The scale of Collection #1 is huge — by size alone, it’s one of the largest breaches in history, behind the massive Yahoo security failures. But it also contains roughly 140 million unique email accounts and 10 million unique passwords according to Hunt, with the passwords themselves in plaintext rather than circulating as uncracked cryptographic hashes.
This type of massive data breach is typically used in a credential stuffing attack rather than a targeted attempt to breach specific companies or individuals. Credential stuffing is exactly what it sounds like — pair up email addresses and passwords and attempt to use them to gain access to user accounts. Because people tend to re-use credentials across many sites and may not change passwords for months or years at a time, it can be surprisingly easy to gain access to accounts.
If you’ve been affected by this breach and your password has leaked, we strongly recommend changing it on all of the sites affected. A service like a password manager may also be an effective way to keep a strong set of passwords with stronger overall security than a mnemonic device or a shorter set of random numbers and letters.