In what has been described as one of the largest data breach in history, the Troy Hunt owned Have I Been Pwned? (HIBP) website last week revealed another huge cache of breached email addresses and passwords.
Known as Collection #1, the data breach is said to have leaked more than 700 million emails and passwords. The 87GB pile of data also included more than 21 million different passwords bringing the total number of records contained in the database to 2.7 billion records.
The files were originally found on cloud service MEGA, being advertised as a collection made up of 2,000 or more individual data breaches stretching back some time and later posted to a popular hacking forum.
Given that the data records were being advertised and discussed on a criminal foru, it means almost anyone visiting that forum can access it.
So how far back i time does this breach go? Well, according to Troy Hunt who is also a regional director at Microsoft, and highly respected in the world of cybersecurity research this could be year ago since he discovered an email address and old password used by him years go in the in Collection #1 files. This means if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.
This data according to Hunt could be misused in different ways like credential stuffing in which credentials are entered on lots of other sites to see whether they’ve been re-used.
Credential stuffing is not new of course but it’s become standard issue these days – if web credentials are stolen, they’ll be tried on other services at some point.
To check whether your email addresses are in this cache (or any previous breach discovery), run a search using HIBP. If your email address was found in a breach where passwords were also stolen, such as the massive LinkedIn breach in 2012, then change your password for that site, if you haven’t already.
If you want to test if your go-to passwords have been involved in any breaches, HIBP has a search tool for that too – Pwned Passwords. You enter a password and the site tells you if it’s appeared in any breaches.
You can also give your passwords the best possible chance of not appearing on Pwned Passwords by using a properly secured password manager that will create and store secure passwords.