New Massive Security Breach Exposes 773 Million Passwords

New Massive Security Breach Exposes 773 Million Passwords

Security researcher Troy Hunt, who maintains the website Have I Been Pwned for those who want to know if their email address and/or passwords have been compromised in any security breaches (spoiler alert: Yup) has released a report on a truly massive breach of some 773 million records. Even worse, that’s actually the net impact after Hunt attempted to strip the data set of duplicates and useless fields that didn’t actually contain email addresses or associated passwords.

The monster data dump goes by the prosaic “Collection #1” and contains 1.16B unique combinations of email addresses and passwords, but only 772 million unique email addresses. It’s the largest data dump to ever be loaded into Have I Been Pwned, and it represents a sort of meta-breach collection rather than the results of any single security exploit or corporate security shortfall.

The data in the breach comes from a variety of sources and Hunt stresses that not all of the ‘breaches’ have been verified, which is to say that not every database claimed to be represented in the hack may actually be represented in the hack. If you’ve ever explored the leaked material around your own email address, you’ve probably realized that not every leak contains accurate information — while I’ve seen my own email associated with passwords that I’ve used in the past, I’ve also seen emails I’ve used associated with passwords I’ve never used with those accounts.

A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.
A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.

Hunt’s blog post contains instructions for how visitors can use Have I Been Pwned, as well as its companion application, Pwned Passwords. You can not only search for your email address to see if it’s been breached, but you can also check to see if your password has been seen. Hunt also discusses the ethical implications of creating a website where people check to see if their passwords have been leaked by entering them — check his blog post for more of his thoughts on the topic. It’s not crazy to have concerns about this issue, but the benefits may outweigh the risks.

The scale of Collection #1 is huge — by size alone, it’s one of the largest breaches in history, behind the massive Yahoo security failures. But it also contains roughly 140 million unique email accounts and 10 million unique passwords according to Hunt, with the passwords themselves in plaintext rather than circulating as uncracked cryptographic hashes.

This type of massive data breach is typically used in a credential stuffing attack rather than a targeted attempt to breach specific companies or individuals. Credential stuffing is exactly what it sounds like — pair up email addresses and passwords and attempt to use them to gain access to user accounts. Because people tend to re-use credentials across many sites and may not change passwords for months or years at a time, it can be surprisingly easy to gain access to accounts.

If you’ve been affected by this breach and your password has leaked, we strongly recommend changing it on all of the sites affected. A service like a password manager may also be an effective way to keep a strong set of passwords with stronger overall security than a mnemonic device or a shorter set of random numbers and letters.

Continue reading

In Massive Shift, Apple Announces New Macs With ARM-Based M1 Chip
In Massive Shift, Apple Announces New Macs With ARM-Based M1 Chip

Apple saw huge success the last time it switched architectures to Intel, but this time? The jury's still out, but one thing is certain: Apple is about to make a lot more money.

Massive ‘Kilonova’ Explosion Shows First Observed Birth of a Magnetar
Massive ‘Kilonova’ Explosion Shows First Observed Birth of a Magnetar

We've never seen a magnetar come into being, but a new high-energy event several billion light years away might be the first — a kilonova that signals the merging of two neutron stars.

A Massive Chip Shortage Is Hitting the Entire Semiconductor Industry
A Massive Chip Shortage Is Hitting the Entire Semiconductor Industry

COVID-19, economic disruptions, yield issues, and the impact of scalping bots have all affected technology purchases this year, but there's a new argument for what's causing such general problems across so many markets: Insufficient investment in 200mm wafers.

Astronomers Find Oldest Supermassive Black Hole in the Universe
Astronomers Find Oldest Supermassive Black Hole in the Universe

This recently spotted object is the oldest known quasar in the universe, with a supermassive black hole more than 13 billion years old. In fact, it's so old and huge that scientists don't know exactly how it could have formed.