A couple of weeks ago, word of a monolith data leak was being discussed on various hacker forums. Security researcher Troy Hunt first reported the leak when he too had heard rumours and was directed to a source on the popular file sharing site, MEGA. The data has since been removed from the site.
The leak, known as “Collection #1”, is a collection of leaked credentials from thousands of individual security breaches that have occurred over the last few years. The data includes hundreds of millions of unique email addresses and passwords, both hashed and unhashed. Collection #1 by itself is one of the largest data leaks in history.
However, in the last week or so, it has been discovered that there are more “collections”, namely Collections #2 through to #5. Collections #2 to #5 were found for sale on the dark web and included three times as much unique data as Collection #1. These ‘sequel’ leaks have brought the total number of unique email addresses and passwords to an astonishing 2.19 billion.
Who was affected?
At this scale, you can almost be certain that if you use a particular email address for a number of accounts, it has been leaked. If you only use your email address for email and a few popular social media sites, then you may be unaffected.
The breaches included in Collections #2 to #5 include the Yahoo!, LinkedIn and Dropbox data breaches that occurred some years ago. As mentioned previously, the majority of the ‘Collection’ also includes data from thousands of smaller data breaches that have occurred over the last few years.
Security researcher Troy Hunt who first brought Collection #1 to light, created and maintains an excellent site for determining whether or not your email addresses or passwords have been compromised called ‘Have I Been Pwned?’. The site allows you to input your email address or password (don’t worry, it’s safe – your password is hashed client-side), and it will alert you if either one has been seen in a data leak.
What can you do?
Our first recommendation would be to input your email address into the Have I Been Pwned website. It can be difficult to find out which accounts exactly have been compromised. If you use one or a few passwords for all of your accounts, you should update them across your primary accounts to be safe.
Ideally, if you haven’t already, we highly recommend that you take the time and start using a password manager such as LastPass, Dashlane or 1Password. This will enable you to have unique passwords for every account without having to remember them all; you only have to remember one strong password. These password managers will also alert you when your accounts have been involved in a breach, and for many popular services the manager can even automatically change your password for you.
Password managers can be used enterprise-wide to ensure that password security within an organisation is strong and maintained, as the password security for all employees can be managed by IT or security personnel. All of the major password managers offer business features and pricing.
It is also a good idea to notify friends and family that their passwords may have been compromised and to perhaps educate them on good password security habits. It is very likely that such password leaks will become more prevalent in the future.
Agilient specialises in educating organisations on best security practice and how to improve security habits. If you’d like to know more about how we can help your organisation, contact us today.
Author: Jack Schofield, Agilient Consultant