Named “Collection #1”, its statistics are as impressive as they are worrying: 87GB of data, 12,000 files, and 1.16 billion unique combinations of email addresses and passwords.
After cleaning up the data, Hunt reckons 773 million email addresses are unique, as are 21 million of the passwords, which is to say appearing in unhashed form only once within the cache.
Hunt said the data was discovered by “multiple people” on the MEGA cloud service being advertised as a collection made up of 2,000 or more individual data breaches stretching back some time.
Who has the data?
Given that it was being advertised and discussed on a criminal forum, in theory almost anyone visiting that source.
How far back in time does it go?
Probably many years as evidenced by Hunt himself, who discovered in Collection #1 an email address and old password used by him many years ago. In conclusion:
If you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.
Which part of the data should we worry about?
Principally, the new data not already in HIBP’s databases – that’s 140 million email addresses and around 11 million of the 21 million unique passwords.
Hunt has published an incomplete list of the sites mentioned (although not verified) as being sources for Collection #1.
How might it be misused?
Hunt’s guess is the data was being marketed for automated credential stuffing in which credentials are entered on lots of other sites to see whether they’ve been re-used.
Credential stuffing is not new of course but it’s become standard issue these days – if web credentials are stolen, they’ll be tried on other services at some point. Observes Hunt:
You signed up to a forum many years ago you’ve long since forgotten about, but because it has subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.
What to do
To check whether your email addresses are in this cache (or any previous breach discovery), run a search using HIBP. If your email address was found in a breach where passwords were also stolen, such as the massive LinkedIn breach in 2012, then change your password for that site, if you haven’t already.
Of course, the sooner you change your password the better. If you’re changing your password now for a breach that happened in 2012, you have to expect that most of the damage has already been done (you should still change it though).
You can give yourself a chance to respond in a more timely fashion by signing up for email alerts about future compromises, or by using a browser or password manager that integrate with HIBP.
If you want to test if your go-to passwords have been involved in any breaches, HIBP has a search tool for that too – Pwned Passwords. You enter a password and the site tells you if it’s appeared in any breaches.
For example, Pwned Password search revealed the incredibly weak password ‘elvispresley’ has appeared 3,800 times in its database which means that anyone using it should use something else asap.
What it won’t tell you is the where the password was found. If a password you enter turns out to have been compromised but you don’t know which sites you used it on… then you’re left guessing.
(Incidentally, if you’re worried about the security of entering current passwords on a website to see whether they’ve been breached or used previously by someone else, read this explanation of how they are checked securely using something called k-anonymity.)
To give your passwords the best possible chance of not appearing on Pwned Passwords, use a properly secured password manager that will create and store secure passwords.