Largest data breach involving a massive collection of stolen data | More than 770m email addresses and passwords posted on hacker site. The biggest hoard of stolen data ever discovered, comprising of more than 770m email addresses and passwords has been found posted on a popular hacking forum. The 87GB data dump was discovered last December by Troy Hunt, a security researcher, who runs the ‘Have I Been Pwned’ data-breach-notification service. Mr Hunt, who called the upload “Collection #1”, said it is probably “made up of many different individual data breaches from literally thousands of different sources”, rather than representing a single hack of a very large service. The arduous task of piecing together previous breaches has resulted in a huge collection. “In total, there are 1,160,253,228 unique combinations of email addresses and passwords,” Hunt writes, and “21,222,975 unique passwords”. The majority of the email addresses have appeared in previous data breaches discovered being shared amongst hackers. These include the 360 million MySpace accounts hacked in 2008, and the 164 million LinkedIn accounts hacked in 2016. The researcher said:
…there’s somewhere in the order of 140m email addresses in this breach that HIBP has never seen before.
Consumers beed to be vigilant
Security experts say the discovery of Collection #1 reinforces the need for consumers to use password managers, like 1Password or LastPass, to store a random, unique password for every service they use. “It is quite a feat not to have had an email address or other personal information breached over the last decade,” said Jake Moore, a cybersecurity expert at ESET UK. He added:
If you’re one of those people who think it won’t happen to you, then it probably already has. Password-managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.
Hunt warns that the primary use for such a dataset is “credential stuffing” attacks, which take advantage of precisely the sort of password reuse that password managers exist to prevent.
People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. …The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.
Sources and credits: The Guardian