Has your Email Address and Password Been Leaked?
According to the (HIBP) website, it was discovered that there is a new huge cache of breached email addresses and passwords circulating among criminals.
The cache, named “Collection #1”, is very worrying as it consists of 87GB worth of data given it has 12,000 files and 1.16 billion unique combinations of email addresses and passwords. After cleaning up the data, it was reckoned that 773 million email addresses were unique, as were 21 million of the passwords.
According to HIPB, the breach was discovered by several people on the MEGA cloud service being advertised as a collection made up of over 2,000 individual data breaches stretching back some time. It is not yet clear as who has the data yet but the fact that it is being advertised and discussed on a criminal forum, in theory almost anyone visiting that source, then it is criminals who have the data.
The guess is that the data was being marketed for automated credential stuffing in which credentials are entered on lots of other sites to see whether they’ve been re-used. Credential stuffing is not new of course but it’s become standard issue these days that’s if web credentials are stolen, they’ll be tried on other services at some point.
What to do?
If you have ever signed up to a forum many years ago you’ve long since forgotten about, but because it has subsequently been breached and you’ve been using that same password all over the place, then you’ve got a serious problem.
To check whether your email addresses are in this cache), run a search using HIBP. If your email address was found in a breach where passwords were also stolen, such as the massive LinkedIn breach in 2012, then change your password for that site, if you haven’t already. The sooner you change your password the better.
If you want to test if your go-to passwords have been involved in any breaches, HIBP has a search tool for that too – Pwned Passwords. You enter a password and the site tells you if it’s appeared in any breaches.
For example, Pwned Password search revealed the incredibly weak password ‘elvispresley’ has appeared 3,800 times in its database which means that anyone using it should use something else.