If you’ve not yet heard, there’s been yet another data breach. So, what’s new, right? Security breaches most often occur because of a lack of awareness around security and, to be honest, because most of us are fairly lazy when it comes to password security. The Collection #1 data breach is no ordinary breach, impacting some 772,904,991 email addresses and more than 21 million unique passwords, and it’s being called “the mother of all security breaches” with good reason.
Does the Collection #1 Data Breach Affect Me?
Does the Collection #1 data breach affect you? Short answer, probably so. The breach is massive and it likely not only affects you, but chances are good it impacts your company as well. If you use the same password across multiple accounts, this is your wake up call to change that behavior stat. And know that even if you don’t use the same password across multiple sites, that doesn’t mean you are safe. I tested multiple email addresses for a few hours on Friday evening, and found many emails of friends, co-workers, and family members affected. This is no joke, so please don’t not take this breach, and the dangers it might present for you, seriously. Here’s how the hack happened, how it was discovered, and what you can do.
All About the Collection #1 Data Breach
The Collection #1 data breach may have gone unnoticed for a while if it weren’t for Troy Hunt, a security researcher who also created and maintains Have I Been Pwned—a site that provides a way to know if your email or password is impacted by a breach. Troy noticed a folder called Collection #1 on cloud service provider MEGA containing more than 12,000 files, weighing it at more than 87 gigabytes. Why so big? That’s because it was chock full of email addresses and passwords. The folder quickly appeared on a hacking forum and is claimed to contain contents of upwards of 2,000 leaked databases with unprotected email addresses and passwords.
So where did all the passwords and email addresses come from? That’s sort of the problem. Unlike with most data breaches, they didn’t all come from the same site. Instead, the Collection #1 folder contains information leaked a variety of databases, so it’s all from different data breaches. That makes the origin of this breach hard to pinpoint.
Who’s Affected by the Collection #1 Data Breach?
Who’s affected by the Collection #1 Data Breach? The real question should be “who’s not affected?” The Collection #1 folder features 2.7 billion rows of passwords and email addresses, creating more than 1 billion unique combinations. So sure, this data breach doesn’t involve credit card numbers or bank account information. But if you tend to use the same password across most of your accounts, you should be worried about the idea of hackers having access to it via Collection #1. Even if you use different passwords, you’re not immune in this breach.
After all, the passwords were saved in plain text, so there was nothing for hackers to decipher in order to access them. They weren’t for sale, either. They were free, just sitting there in a folder on a major cloud storage site, available for anyone to copy. That’s partly why this attack is a big deal!
What You Should Do Right Now
When a breach is described as “The mother of all data breaches” taking no action is, well, not smart. What you should do right now is to immediately go find out whether Collection #1 affects you personally. Chances are that it does, but you can find out for sure by putting in your email addresses (check them all!) at Have I Been Pwned. This site will tell you whether your email addresses or passwords has been involved in a data breach before. I put in my email addresses and saw found that one of them was found on eight breached sites. And two of the passwords I use regularly were found on hundreds of sites. Time to change those.
What to do right now? Check your email address as soon as possible. If you’re in the same situation as me, do this:
- Immediately change any affected passwords.
- Do NOT use the same password across multiple sites. Oh sure, I know it’s convenient, but that’s the quickest way to give a hacker access to a whole lot of information you might rather keep protected.
- Use two-factor authentication on any site that allows you to do that.
Also, think about using a password manager, like 1Password, which can store your passwords securely and monitor them to let you know right away if they’ve been involved in a data breach. Putting these tips into practice now should reduce your odds of being affected by the next data breach.
Lastly, if you’re in IT or HR, there is no better time than the present to focus on employee training as it relates to security and password management. Security first should be a mantra for all business leaders, as employees are both the weakest link when it comes to security, and the strongest line of defense when properly trained. It would be a good idea to immediately require a password change across the board, for the entire organization. It would also be a good idea to get some security training scheduled as quickly as possible, so that your employees understand the threat that the Collection #1 Data Breach presents, not only to them personally, but to the company and its employees and customers as a whole.