One of the largest public data breaches ever is causing new concerns in data security circles. Instead of a data breach of a single entity or organization, this data breach is a giant data leak of 773 million email addresses and 21 million passwords that have been collected over a period of several years from thousands of different sources. All told, over 87 gigabytes of personal information is now being sold on the dark web as part of this password leak, raising very important questions about personal data security online.
Details of the password leak
This massive password leak was first discovered by Troy Hunt, a security researcher and founder of the “Have I Been Pwned” (HIBP) service. According to Hunt, most of the passwords and emails appear to have been collected in the past 2-3 years. Hunt came across the massive password leak on the dark web, where the 87 GB data leak of email addresses and passwords is simply being called “Collection #1” and is being offered for sale by a well-known hacker for just $45.
According to Hunt, the hacker (who goes by the online screen name Sanix#6890) has several other collections of passwords and email addresses for sale. As a result, it’s perhaps best to think of “Collection #1” as a foreshadowing of what’s to come. Via the dark web, Troy Hunt communicated with the hacker and found out that “Collection #2,” will be even bigger, at 526 GB. That’s nearly seven times the size of “Collection #1,” so presumably it will contain an even greater number of passwords and emails. Based on what Troy Hunt has analyzed, he now estimates that the total treasure trove of stolen and hacked passwords might be as much as 1 Terabyte in size.
Comparison with other data breaches
Obviously, any time that you mention a password leak that could impact 773 million people, you are going to generate a lot of attention. To put the current data breach into context, a similar data breach at Marriott impacted 383 million guests, including a breach of over 5 million passport numbers. And a similar type of data breach at Equifax resulted in a leak of 147.7 million social security numbers. Thus, purely on size alone, this new data breach of unique email addresses and unique passwords is at least twice the size of any previous data breach.
The big question, of course, is just how severe this data breach really is. After all, other security researchers have looked into the data leak and found that many of the passwords and emails appear to date back to 2008, meaning that this security breach is really old news. Presumably, hackers have had access to this information for nearly 10 years, so any efforts to protect your email now are basically a case of too little, too late.
According to Tim Erlin, VP, product management and strategy at Tripwire, “After years of data breaches, there’s a lot of sensitive data that’s already been exposed floating around. Collections like these are made up more of previously exposed data than newly compromised information. Consumers should be aware that just because a breach occurred months or years back, that doesn’t mean the data won’t resurface or be used today and in the future.”
And while the discovery of “Collection #1” happened in January 2019, Hunt acknowledges that the data collection first went “on sale” on the dark web back in October 2018. So do you really think that hackers are going to wait until now to use these login credentials?