Troy Hunt, of HaveIBeenPwned fame, on January 17 reported what may be the biggest data breach ever. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. That’s right, 2.6 billion rows. 773 million records, from over 12,000 files, with a total size surpassing 87 gigabytes. That’s a lot of personally identifiable information (PII) about all of us, I would guess. This information was being circulated on the popular cloud storage service MEGA for the low, low price of $45. This is not the Dark Web, it is the regular web.
On January 25, Germany’s Hasso-Plattner Institute (HPI) released a report about a second trove, called Collections 2-5. This information came from the same source as Collection 1, and it contains another 2.2 billion unique pairs of email addresses and passwords. This is an astounding 845 GB of data gathered from more than 2000 individual data breaches going back several years.
What this means is that more than one of your passwords may be in list huge list. So even if you use different passwords on different sites, your credentials for several sites may be in this trove.
Before you go nuts, it seems that much of this data is old and out of date. Nevertheless, this is something a massive collection of PII, and it would be a miracle if some of your email account and password pairs were not in this vast store. Remember last year’s successful sextortion scam? This was the phishing attack that claimed to have videos taken by your own web cam of you interacting with porn, and worked by showing victims old passwords as “proof” of access.
I checked to see if my own information might be in this trove, and it seems that I am in the clear, at least, so far. You can check your own situation at https://haveibeenpwned.com. While you are at it, check out some of your passwords at Troy’s new Pwned Passwords page. I highly recommend reading Troy’s report if you are at all interested in the details.
To protect yourself from these sorts of disclosures requires some serious password best practices. These include:
- Longer passwords of at least 12 characters
- Two factor or multi-factor authentication. Currently I am favoring USB solution such as Yubikey or Google Titan, but authenticator phone apps are good too.
- Password managers such as LastPass, 1Password, or Dashlane.
- Sign up at HIBP for breach alerts. Click on “Notify Me” from the top menu.
The amount of information circulating on the Dark Web is staggering. You want to be keeping track of any breaches that affect you personally. There is always the danger of identity theft, or other personal attacks from breaches such as this one.
- Troy Hunt
- Brian Krebs
- Sophos Naked Security
- Hasso-Plattner Institute (HPI) (use Google translate to get English from German)