News of a huge new breached cache of email and password combinations hit yesterday. Security researcher Troy Hunt uploaded 773 million unique email addresses and 21 million unique passwords from a data dump called “Collection #1” to his very useful Have I Been Pwned website, where users can go to find out if their email has been leaked in a breach.
It’s a pretty huge number, and it’s the largest number that Hunt has ever uploaded to his site. But is it time to panic? What does it mean for you?
Infosec journalist Brian Krebs made contact with someone who is selling the “Collection #1” cache online. According to Krebs, the seller claimed the data, which he is offering for $45, is two to three years old. The seller said the data is from “a huge number of hacked sites.”
So the data, while an expansive collection, is not new. Hunt says, however, that 140 million of the email addresses are new to Have I Been Pwned. So while it was already out there, now you know about it, and now you can find out whether yours was among the leaked records. You can also find out if any of your passwords are floating around in known breach dumps. (Discontinue use of any that are!)
These kinds of data dumps are commonly circulated among cyber criminals. They can be used for credential stuffing, which is simply trying the username and password sets into different sites to see where they work. Cyber crooks use automated tools to do this fast. And according to Krebs’ reporting, leaked credentials are more useful for phishing, blackmail, and other indirect attacks.
While there’s no need to panic at the surfacing of data from old hacks, this is a great opportunity to, if you haven’t already, kick your password hygiene habits up a notch. That means, as always:
Use a unique and strong password for each of your accounts. Unique means a different password for each account and strong means complex and long. More about that here.
Use two-factor authentication for your most important, sensitive accounts. This extra step means a hacker will not only need your password to break into your account, but also physical access to your device.
Use a password manager such as F-Secure KEY, which is now part of F-Secure TOTAL. A password manager makes it smooth and easy to have a unique, long, and strong password for each and every account. Bonus: KEY also proactively notifies you about major data breaches rather than you finding out about them later.
Getting your passwords in order requires a bit of effort, but it’s worth it for the peace of mind it brings. If you’re using a unique password for each account, and your credentials do end up leaking in a breach, you’ll only need to change the password for that one breached service. Much simpler than struggling to remember all the services where you use that same password.
New habits take time and can be intimidating, so start small if it helps. Download F-Secure KEY and input just one account there each day. In a few weeks or months, depending on how many you have, you can have all your accounts taken care of. Sounds like a great way to kick off the new year.