Time to get rid of that old dog password you use for online sites. Your weak moniker of #Buster400! just isn’t going to cut it anymore.
Security analysts have identified a monstrous data breach comprised of 773 million email addresses and 21 million passwords.
The breach has been titled “Collection #1”, and unfortunately, more “Collections” are on the horizon.
First outed by Microsoft security consultant Troy Hunt, the data compilation comes from multiple different sources – exceeding 2,000 – and adding up to 87GB of data in all.
And as if it wasn’t bad enough, the passwords are in plain text and easy to read.
The pre-packaged data was spotted on the Dark Web up for sale to hackers in the wild. This information could be used for credential stuffing – a process where hackers use multiple email address and password combinations on as many different apps and services as they can and see what hits.
“People take lists like these that contain our email addresses and passwords then they attempt to see where else they work,” says Hunt.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.”
Unfortunately, how the information was acquired and which accounts were breached isn’t clear.
According to a frustrated Hunt, “my own personal data is in there and it’s accurate; right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They’re also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I’ve personally seen and verified), but per the quoted sentence above, the data contains “dehashed” passwords which have been cracked and converted back to plain text. In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
Ouch!
This breach is now classified as the biggest single batch of personal login data yet compiled, and it shows the extreme vulnerability of using the same password for multiple log-ins.
What to do: