A new world record was achieved in January 2019, but sadly it’s not something to celebrate; nearly 773 million email addresses and 22 million passwords were hacked and published online in what was the biggest data breach to date. Cyber security expert Troy Hunt found an impressive file on MEGA – a file-sharing platform that is the successor of Megaupload – that was suitably named Collection #1, containing 87GB of compromised credentials.
The news quickly spread worldwide with many people fearing that their own online details ended up on some hacker’s monitor, and the urge to change passwords began. Obviously, a data leak is always a serious matter and this one in particular even dethrones Yahoo’s infamous 500 million data breach in 2016. But fortunately, this time the case may be not as bad as it seems.
More Smoke Than Fire?
As Motherboard rightfully highlights, millions of email addresses and passwords are hacked daily, but what makes this case unique is the fact that Collection #1 is precisely what its name indicates: a collection of older data breaches.
There are newly compromised credentials as well, obviously, but the good news is that of the nearly 773 million unique email addresses and 22 million passwords composing Collection #1, ‘only’ 18% of the emails and half of the passwords are new entries on Have I Been Pwned’s database. All the remaining were already listed on the website – which was created by none other than Troy Hunt – that anyone can use to check which of their addresses have been affected. This collection, therefore, is essentially a compilation of what’s believed to be more than 2,000 former data breaches, which someone with enough time and patience has put together into a single file.
In his in-depth research into the file published on MEGA – which has since been deleted from the platform but is still around on hacking forums – the security researcher found out that the impressive 87GB of data was mainly composed of .txt files. While the exact origin of Collection #1 is still unknown, the total unique combinations of email addresses and passwords are over a billion, though it’s highlighted that these are unfiltered results containing “different delimiter types including colons, semicolons, spaces and a combination of different file types”.
The massive file is organized into a directory of different folders and subfolders, each one with different contents such as “mail access combos”, “shopping combos”, “EU combos”, and much more. There are over 12,000 separate files in total and, according to the researcher, he himself has seen his own accurate personal data in there. As he underlines, the data affected “only passwords that are no longer in use” but that were stored as cryptographic hashes, which rings yet another alarm. Collection #1’s data breach also “contains ‘dehashed’ passwords which have been cracked and converted back to plain text”.
The Importance of Strong Credentials and Password Managers
Whether your credentials are listed on Have I Been Pwned or not, the best approach is to play it safe and give all your services renewed passwords. It cannot be stressed enough that passwords are very important and that they should never be mistreated. Every service nowadays requires some sort of login information and opting for ‘123456789’, ‘password’ or any other cliched alternative is simply giving away access to attackers. It’s always a smart idea to create a strong, unique password that no one will be able to guess, by using random letters, numbers, and even symbols, for example.
Yes, these will obviously be impossible to remember, especially if you need to use multiple passwords that aren’t in any way related to you, which means avoiding initials and birthdays since they’re easily given away by social media profiles and put together relatively easily. The best solution to this is to use password managers, tools that can not only generate complex and unguessable passwords for you but will lock them all away in a secure digital vault as well. In turn, they are protected by a master password, so you’ll only have to remember a single combination of characters. Likewise, it’s advisable to create a relatively secure password for this as if someone is able to break into the vault, then everything is at risk.
In addition, two-factor authentication should always be used when available and the added protection of a VPN shouldn’t be discarded either, especially for those that connect to public hotspots often.
Best VPN Services of 2019