Renowned security researcher Troy Hunt has discovered a monster data leak involving hundreds of millions of email addresses.
A newly discovered data leak has been highlighted by cybersecurity researcher Troy Hunt, who maintains the Have I Been Pwned service, which allows users to see if their credentials have been compromised by data breaches.
What is the source of the leak?
Calling the data leak ‘Collection #1’, Hunt said it is likely to be “made up of many different individual data breaches from literally thousands of sources”, as opposed to a single breach of a major organisation or service.
Altogether, there are 1,160,253,228 unique combinations of email addresses and passwords, approximately 773m email addresses, and 21,222,975 unique passwords in the database. While many of the addresses stem from previous breaches, Hunt said that there are 140m addresses that Have I Been Pwned had not previously come across. The passwords are also all saved in plaintext, which makes things even more convenient for those who may want to use them.
The data made a brief appearance on cloud service Mega and was then available on what Hunt described as a “popular hacking forum”. It can best be described as a collection of aggregated data from numerous breaches down through the years.
Check if you were affected
Using Have I Been Pwned, users can type in their email address to check whether or not they have been affected. If you find your address has been implicated in a data leak or breach, a change of password is a must.
While you are at it, looking into multifactor authentication is also a wise move. Password managers are now widely accepted and are a lot safer than reusing the same passwords on all of your online accounts.
Looking at the type of attacks such a large database would be used for, Hunt notes “credential-stuffing” as a likely vector, one that is entirely predicated on password reuse, possibly the worst cyber-hygiene habit many of us have yet to kick.
He said: “The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because it’s subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”
Underground data-trading a real threat
Will LaSala, director of security solutions and security evangelist at OneSpan, said: “This is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential-stuffing attacks to cause maximum damage across multiple other accounts.
“And, with criminals trading assets in underground forums, data from this breach could easily be cross-referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.”