2019 already has its first major data leak which consists of approximately 773 million unique email IDs and 21 million unique passwords, as reported by Troy Hunt:
Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data.
Collection #1 Data Breach Explained
Apparently, one of Hunt’s contacts pointed him to a popular hacking forum where the data was being “socialized”. On an image associated with the data there was a root folder named “Collection #1”, and so the researcher decided to name the breach this way. It appears that the data comes from multiple sources, and is perhaps “a collection of 2000+ dehashed databases and combos stored by topic”, as explained on a forum post where the breach was “advertised”.
However, the origin of the data hasn’t been verified yet:
I’ve written before about what’s involved in verifying data breaches and it’s often a non-trivial exercise. Whilst there are many legitimate breaches that I recognise in that list, that’s the extent of my verification efforts and it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.
It’s noteworthy that Troy Hunt’s own data is included in that breach list, and it appears to be accurate, consisting of an email address and a password he used many years ago. These passwords were stored as cryptographic hashes in the source data breaches, he said, wherewas the data contains dehashed passwords. “In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see,” Hunt added.
“As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767”, the researcher pointed out in his blog post. It is definitely a good idea to check your email addresses via the Have I Been Pwned? website to make sure they have (or haven’t) been “pwned”. This breach is also a good reminder that it is a bad idea to recycle the same (or similar) passwords over and over again.
Hunt’s recommendation is to protect your accounts using 1Password (or a similar service), then enable 2FA (two-factor authentication), and finally subscribe to notifications for data breaches. Changing your unique passwords from time to time is also recommended.