This post is also available in: עברית (Hebrew)
More than 87GB of passwords and email addresses have been leaked and distributed in a folder dubbed “Collection #1” by hackers in a significant data breach. If you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.
Nearly 22 million unique passwords and more than 772 million email addresses was hosted on cloud storage service MEGA. The link to the dump was posted on a hacking forum, but has been since taken down from the service, according to mashable.com.
Troy Hunt, a security researcher, explains the cache of emails and passwords were built up from numerous data breaches from allegedly thousands of sources, dating all the way back to 2008.
In total, there are 1,160,253,228 unique combinations of email addresses and passwords, according to troyhunt.com. The unique email addresses totalled 772,904,991. There are 21,222,975 unique passwords.
Where has the data come from?
A large collection of files on the MEGA cloud service was socialized in a popular hacking forum. The first site on the list was breached in 2015, but there’s also a file in there which suggests 2008. These are lots of different incidents from lots of different time frames.
In order to assess your personal exposure, check your email address here: https://haveibeenpwned.com/
What’s the Risk If My Data Is in There?
The list can be used for credential stuffing – the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.
What can you do if you’re in the data?
If you’re reusing the same password(s) across services, Hunt recommends to go and get a password manager app and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it’s available.