Troy Hunt, founder of data breach database Have I Been Pwned? (HIBP), has discovered a list of 773m email and password combinations being shared between hackers online for the purposes of credential stuffing and spam email campaigns.
Titled Collection #1, the data dump was made up of 2.7bn lines of data, including 1.2bn unique combinations of email addresses and passwords. The file size of all of the data came to 87GB.
When cleaned up by removing case sensitive duplicates or unnecessary lines, the final dump contains 773m records and more than 21m unique passwords, highlighting that while many are becoming more aware of cybersecurity issues, many are still ignoring the biggest (and yet easiest to safeguard against) security threat.
“Reuse is the biggest problem. I say that because of the rapid emergence of credential stuffing attacks, which is when an attacker takes usernames and passwords from a data breach and tests them against other services,” Hunt previously told Verdict.
Where did the data come from?
For many, this latest discover will be old news. Old data stolen during large scale breaches such as those launched against LinkedIn and Yahoo! often find their way into fresh dumps like this, despite many having long since changed their account credentials.
Yet, according to Hunt, as many as 140m email addresses included in the Collection #1 breach have never been seen before. A scan of a few hundred thousand of the combinations in the data set showed that just 82% was already included in the HIBP database.
The HIBP database is one of the largest collections of breached credentials, containing data from 340 large scale breaches and 87,000 data pastes.
The appearance of such a large amount of fresh compromised data could point towards some of larger incidents that occurred last year, when corporations like British Airways, Ticketmaster and Marriott hotels all reported breaches.
However, a list of the databases alleged compromised (originally shared on hacker forums but re-uploaded by HIBP here) suggests that the data was collected from more than 2,800 sources. These breaches date as far back as 2008, but also contain data from as recent as June 2018.
Greater care for cybersecurity needed
“It is quite the feat not to have had an email address, or other personal information breached over the last decade,” says Jake Moore, cyber security expert at ESET UK. “If you’re one of those people who think it won’t happen to you, then it probably already has.”
Given the HIBP database contains more than 6.5bn user credentials – approaching one for every person on the planet – there is a high chance that one of your accounts has been compromised at some point in time. And those are only the breaches that have been discovered.
To check whether your details are on the Collection #1 list, or whether your accounts were compromised in past breaches, searching for your email address on HIBP will give you a list of all of the breaches that your account details were compromised in. While HIBP is unable to disclose the particular password(s) that were compromised, this does provide some idea of the cyber safety.
If you find your details have been compromised, it is probably time for a change.
Cybersecurity professions recommend using a different password for each online service you use. This prevents hackers breaking into your other accounts should a breach occur. Password managers provide a way of generating and remembering each password you use.
“Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps,” Moore says.
“And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites.”