New Massive Security Breach Exposes 773 Million Passwords

New Massive Security Breach Exposes 773 Million Passwords

Security researcher Troy Hunt, who maintains the website Have I Been Pwned for those who want to know if their email address and/or passwords have been compromised in any security breaches (spoiler alert: Yup) has released a report on a truly massive breach of some 773 million records. Even worse, that’s actually the net impact after Hunt attempted to strip the data set of duplicates and useless fields that didn’t actually contain email addresses or associated passwords.

The monster data dump goes by the prosaic “Collection #1” and contains 1.16B unique combinations of email addresses and passwords, but only 772 million unique email addresses. It’s the largest data dump to ever be loaded into Have I Been Pwned, and it represents a sort of meta-breach collection rather than the results of any single security exploit or corporate security shortfall.

The data in the breach comes from a variety of sources and Hunt stresses that not all of the ‘breaches’ have been verified, which is to say that not every database claimed to be represented in the hack may actually be represented in the hack. If you’ve ever explored the leaked material around your own email address, you’ve probably realized that not every leak contains accurate information — while I’ve seen my own email associated with passwords that I’ve used in the past, I’ve also seen emails I’ve used associated with passwords I’ve never used with those accounts.

A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.
A golden opportunity was missed to call this “1 Collection.” I’ll show myself out.

Hunt’s blog post contains instructions for how visitors can use Have I Been Pwned, as well as its companion application, Pwned Passwords. You can not only search for your email address to see if it’s been breached, but you can also check to see if your password has been seen. Hunt also discusses the ethical implications of creating a website where people check to see if their passwords have been leaked by entering them — check his blog post for more of his thoughts on the topic. It’s not crazy to have concerns about this issue, but the benefits may outweigh the risks.

The scale of Collection #1 is huge — by size alone, it’s one of the largest breaches in history, behind the massive Yahoo security failures. But it also contains roughly 140 million unique email accounts and 10 million unique passwords according to Hunt, with the passwords themselves in plaintext rather than circulating as uncracked cryptographic hashes.

This type of massive data breach is typically used in a credential stuffing attack rather than a targeted attempt to breach specific companies or individuals. Credential stuffing is exactly what it sounds like — pair up email addresses and passwords and attempt to use them to gain access to user accounts. Because people tend to re-use credentials across many sites and may not change passwords for months or years at a time, it can be surprisingly easy to gain access to accounts.

If you’ve been affected by this breach and your password has leaked, we strongly recommend changing it on all of the sites affected. A service like a password manager may also be an effective way to keep a strong set of passwords with stronger overall security than a mnemonic device or a shorter set of random numbers and letters.

Continue reading

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

Microsoft Now Offers the Option to (Mostly) Ditch Your Password
Microsoft Now Offers the Option to (Mostly) Ditch Your Password

Microsoft wants to ditch passwords and it's making the feature widely available on Windows for the first time.

Microsoft, Apple, And Google Join Forces to Kill The Password
Microsoft, Apple, And Google Join Forces to Kill The Password

On World Password Day the world's three largest tech firms have announced an alliance to banish passwords to the ash heap of history.

Netflix Ads and Password Sharing Fees Could Arrive This Year
Netflix Ads and Password Sharing Fees Could Arrive This Year

In a notice sent to employees, Netflix management said they were aiming to have an ad-supported tier ready for sign-ups by the fourth quarter of 2022.