Once more unto the breach, dear friends, once more…
Another day, another data breach, so goes the news we see. The breach last week, however, was a MONSTER! Called “Collection #1, 1,160,253,228 unique passwords and email addresses have been attributed to it!
The list, which consists of 773 million email addresses from several sources, published to the cloud storage service MEGA, was reported by Troy Hunt, the owner of the HaveIBeenPwned website, which indexes hacked information. This massive number of email addresses makes it the largest breach ever uploaded to Hunt's site, he said. But there’s also 21,222,975 unique passwords released within the breach, stored in plain text for the world to see. What’s not exactly clear is if the breach stored email addresses along with the passwords they used. It certainly appears so, however, as Hunt refers to the list storing 2.7 billion combinations of usernames and passwords.
If you’re not familiar with it, Hunt’s database allows you to check your email address to see if it's listed in the latest hack.More importantly, you can also check your password. if both turned up in the breach, you must assume that someone out there has access to your email. Some online services, like Google, also allow you to store third-party website passwords within the service. In this case, knowing your master Gmail password will give an attacker access to those, too.
If you use both your email address and the same password at multiple sites, known as “credential stuffing,” the implications are clear: If attackers know you used the same credentials at multiple sites, they can go from site to site (banking sites, your employer, Facebook, and more) and unlock your entire store of digital information…NOT GOOD!!
To gain more perspective on the Collection #1 data breach, the editors at Solutions Review magazine consulted with 4 cybersecurity experts from top solution providers.
Here’s what they learned:
Javvad Malik, Security Advocate, AlienVault
“Collection #1 is a massive dataset of compromised credentials across many different breaches. It goes to show the magnitude of the breaches and how the cumulative effect is quite devastating. It serves as a reminder about the risks that come with reusing passwords, and how using email addresses as an identifier can compromise individual privacy.”
“The silver lining is that companies can use the data from Collection #1 to enrich their detection capabilities by proactively looking at credential stuffing attacks and blocking users from reusing passwords that have been compromised.”
Carl Wright, CCO, AttackIQ
“In terms of volume, this leak is second only to Yahoo’s2013 data breach that compromised three billion accounts. This immense exposure of unique combinations of email addresses and passwords can unfortunately be used by threat actors for the purposes of credential stuffing, which is the automated injection of compromised username and password combinations to gain unauthorized access to user accounts. And since so many individuals use the same passwords for numerous accounts, this approach is quite often successful.”
“For individuals who want to mitigate the chances of any of their accounts being compromised, there are a few steps to take. First, never reuse passwords. Instead, get a password manager to help keep track of all your different account passwords. Additionally, enable app-based two-factor authentication whenever possible.”
“For organizations, it is always far more efficient to continuously validate your current security measures rather than recovering from a breach of company or user data. Cybercriminals can wreak as much havoc easier than ever, especially since the attack surface is larger today than it has ever been.”
Raj Samani, Chief Scientist, McAfee
“This is scary but unfortunately, unsurprising.Hundreds of millions of people are still at risk of a multitude of vulnerabilities, created by sophisticated cybercriminals who are driven by monetary gain.”
“People need to act fast and defend themselves. With such a high volume of personal data being discovered, nobody can assume they haven’t been caught up in this. Passwords need to be changed immediately. If you have the same password across any account, device or app you need to make every single one unique, strong and never re-use it again. A password manager is a great option if you want to do this quickly.”
“As soon as a cyber-criminal has their hands on a password,they can gain access to your personal and even financial information by painting a ‘picture’ of you. This is a typical case of ‘fail to prepare, prepare to fail’ and should be the alarming wakeup call for people who do not place importance on their online security and data protection.”
Stephen Cox, VP & Chief Security Architect, SecureAuth
“Mounting evidence points at stolen credentials being involved in the vast majority of breaches, and there is no sign of this trend slowing down. More focus needs to be put on advanced authentication techniques to improve organizations’ security posture in this threat landscape, and minimize the potential impacts of these types of data breaches.”
“Far too many organizations are relying on approaches that have simply been proven ineffective against modern attackers, and they must be careful to not develop a false sense of security even when they’ve adopted vanilla two-factor authentication. These types of breaches will continue to proliferate unless organizations up their game for their employees and their customers, implementing multi-factor and adaptive authentication to render stolen credentials useless to an attacker.”
So what can you do? The first thing is to see if your email address has been compromised; chances are fairly good that it already has been in either this breach or another. Hunt’s site allows you to check your password, too. If this makes you feel a little uneasy—who is this Hunt guy, anyway?—you can read how Hunt anonymously stores passwords, or simply change your password first and then check your old (hopefully unique) password to see if it’s in the database. If it isn’t, relax.
If it's in the database, you’ll want to change this password NOW
The tried-and-true protection against massive data breaches password manager. These usually cost a bit per month, but they can automatically generate impossible to guess passwords, which become even more complicated to crack when paired with two-factor authentication. Even a password manager can’t be considered totally secure, but it’s way more effective than using “12345678” for every site on the web.