The Internet has just witnessed the largest data breach in history. The breach, which is being called Collection #1 has been first identified and reported by security researcher, Troy Hunt.
According to Hunt, Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows and is taken from many different individual data breaches from literally thousands of different sources. In total there were 772,904,991 unique email addresses in Collection #1.
The package was spotted being hawked around for sale among hacker communities, and could be used for credential stuffing ie. people take lists like these that contain email addresses and passwords and then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because it has subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.
Hunt discovered the breach after multiple people reached out and directed him to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. The following image was found on a hacking forum where the data was being socialised:
As you can see at the top left of the image, the root folder is called “Collection #1” hence the name. The expanded folders and file listing gives an indication of the nature of the data and how it has been sourced from various different sources.
So should you be worried about the breach? Possibly. 772,904,991 is a lot of email addresses. Even if you’re not among the almost 773 million outed addresses, this incident is a clear indication that we need to take our online security very seriously. Choosing strong passwords, periodically changing your passwords and having different passwords for different services are some of the steps you can take to protect yourself from online data breaches as best as possible.