Collection #1: a data trove of over 2.6 billion rows of stolen passwords and email addresses has been discovered on a hacker forum, sparking new concerns over the damage that data breaches can cause.
Australian cybersecurity expert and Microsoft staffer Troy Hunt was tipped off about the data collection and when he went to investigate he found 772,904,991 unique email addresses publicly displayed.
The collection totaled more than 12,000 separate files amassing 87GB of data and contained 21,222,975 unique passwords.
Mr Hunt wrote a blog post on his website exposing the stolen data breach, one in which he too states he was a victim: “My own personal data is in there and it’s accurate; right email address and a password I used many years ago.”
The breach has been named Collection #1 after the title the hackers gave the root folder. It appears that this collection is not the result of one breach, but consists of many breaches from an array of sources.
Data in Collection #1 is DeHashed
Most worryingly is that data contained in the files is not encrypted or ‘hashed’, Mr Hunt notes that: “The data contains “dehashed” passwords which have been cracked and converted back to plain text.” This means that anyone access the files can easily read the data and use it in conjunction with malicious activities.
The main concern is that a threat actor will use the data in a credit stuffing attack. This occurs when an automated process is used to test the stolen password and email combination on an array of websites to see which are still valid giving the hacker access to the account on those sites.
An automated bot can test millions of combination on thousands of sites. Credit stuffing attacks should be a key concern for anyone who erroneously uses the same password and emails combination across multiple accounts, in that scenario the breach of one is the breach of all.
Troy Hunter runs the website Have I Been Pwned (HIBP) which users can use to check if there email or password has been compromised in a breach. You can simply visit this site and enter your email address to receive a free report on whether your email has been involved in a previous breach.
Troy Hunt commented that: “As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.”
“140M email addresses in this breach that HIBP has never seen before. The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum”
Jake Moore cyber security expert at ESET UK commented in an email to Computer Business Review that: “There has never been a better time to change your password. It is quite a feat not to have had an email address, or other personal information breached over the last decade. If you’re one of those people who think it won’t happen to you, and then it probably already has.”
“Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps, And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites.”
The post Collection #1 The Biggest Batch Of Stolen Emails and Password Yet appeared first on Computer Business Review.