One of the largest public data breaches ever is causing new concerns in data security circles. Instead of a data breach of a single entity or organization, this data breach is a giant data leak of 773 million email addresses and 21 million passwords that have been collected over a period of several years from thousands of different sources. All told, over 87 gigabytes of personal information is now being sold on the dark web as part of this password leak, raising very important questions about personal data security online.
Details of the password leak
This massive password leak was first discovered by Troy Hunt, a security researcher and founder of the “Have I Been Pwned” (HIBP) service. According to Hunt, most of the passwords and emails appear to have been collected in the past 2-3 years. Hunt came across the massive password leak on the dark web, where the 87 GB data leak of email addresses and passwords is simply being called “Collection #1” and is being offered for sale by a well-known hacker for just $45.
According to Hunt, the hacker (who goes by the online screen name Sanix#6890) has several other collections of passwords and email addresses for sale. As a result, it’s perhaps best to think of “Collection #1” as a foreshadowing of what’s to come. Via the dark web, Troy Hunt communicated with the hacker and found out that “Collection #2,” will be even bigger, at 526 GB. That’s nearly seven times the size of “Collection #1,” so presumably it will contain an even greater number of passwords and emails. Based on what Troy Hunt has analyzed, he now estimates that the total treasure trove of stolen and hacked passwords might be as much as 1 Terabyte in size.
Comparison with other data breaches
Obviously, any time that you mention a password leak that could impact 773 million people, you are going to generate a lot of attention. To put the current data breach into context, a similar data breach at Marriott impacted 383 million guests, including a breach of over 5 million passport numbers. And a similar type of data breach at Equifax resulted in a leak of 147.7 million social security numbers. Thus, purely on size alone, this new data breach of unique email addresses and unique passwords is at least twice the size of any previous data breach.
The big question, of course, is just how severe this data breach really is. After all, other security researchers have looked into the data leak and found that many of the passwords and emails appear to date back to 2008, meaning that this security breach is really old news. Presumably, hackers have had access to this information for nearly 10 years, so any efforts to protect your email now are basically a case of too little, too late.
According to Tim Erlin, VP, product management and strategy at Tripwire, “After years of data breaches, there’s a lot of sensitive data that’s already been exposed floating around. Collections like these are made up more of previously exposed data than newly compromised information. Consumers should be aware that just because a breach occurred months or years back, that doesn’t mean the data won’t resurface or be used today and in the future.”
And while the discovery of “Collection #1” happened in January 2019, Hunt acknowledges that the data collection first went “on sale” on the dark web back in October 2018. So do you really think that hackers are going to wait until now to use these login credentials?
Implications of the password leak
If you’re concerned that your email and password might be among the 773 million disclosed in the password leak, Hunt offers a simple remedy: go to his website “Have I Been Pwned,” type in your email address, and in a few seconds, you’ll see whether or not your email is part of the data breach. Hunt himself acknowledges that he found one of his old email addresses in the collection.
In addition to the sheer size of this password leak, one fact that really stands out is the potential harm that could result from hackers releasing both passwords and emails at the same time. As security researchers like Troy Hunt point out, your most important password is the one that belongs to your email. That’s because hackers can reset the password of any accounts that tie back to your email address using a tactic called “credential stuffing.”
This tactic is based on the idea that most people use the same password for their email account as they do other accounts that they use on a regular basis. Thus, hackers use a brute force method involving bots to login to as many accounts as possible with your email and password info, usually at nearly the same time, in order to get into other accounts with your same credentials. Then, once they’ve done this, it’s possible to control the account by requesting new passwords to be sent to the email they already can access and control.
Potential remedies for those impacted by the data breach
Thus, just by understand how hackers think and work, you can take appropriate steps to protect your accounts as best as possible. The first thing you should do is to use a long, unique password that you would have a hard time remembering. If that’s too challenging, then you should use an online password manager.
In addition, wherever possible, you should use a security technique called multi-factor authentication. This tactic usually involves a website texting you a special code to your mobile device that you can then insert into a website in order to login. It’s based on the idea that, while a hacker might have stolen your password as part of a password leak, the hacker probably hasn’t also stolen your mobile device.
And, finally, the common sense thing to do to avoid becoming the victim of a password leak is to never re-use a password once you have already used it. In the case of “Collection #1,” which has password data that is as old as 10 years, you can avoid a lot of anxiety simply by never re-using any password that you’ve used in the past decade.
Felix Rosbach, product manager at comforte AG suggests that, “Sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised.”
So, if you haven’t done so by now, be sure to change the password to your email account. And, if you are really serious about keeping your accounts safe from the prying eyes of hackers, start using a password manager, which will auto-generate secure passwords for you. At one time, it might have been possible to ignore risks to online security, but as this latest massive password leak shows us, the scale of attacks is growing and becoming more severe with time.