Data breaches are becoming increasingly more common, but today’s is a doozy: 1,160,253,228 unique passwords and email addresses have been attributed to a breach that’s being called “Collection #1.”
The collective list of 773 million email addresses from several sources, published to the cloud storage service MEGA, was reported by Troy Hunt, the owner of the HaveIBeenPwned website, which indexes hacked information. The number of email addresses makes it the largest breach ever uploaded to Hunt's site, he said. But there’s also 21,222,975 unique passwords released within the breach, stored in plain text for the world to see.
What’s not exactly clear is whether the breach stored an email address that’s actually associated with the password it used. (It certainly appears so, however, as Hunt refers to the list storing 2.7 billion combinations of usernames and passwords.)
But that’s not really the point: Hunt’s database allows you to check your email address to see if it's turned up in the latest hack. More importantly, you can also check your password; if both turned up in the breach, you have to assume that someone out there has access to your email. (Some online services, like Google, also allow you to store third-party website passwords within the service. In that case, knowing your master Gmail password will give an attacker access to those, too.)
What’s especially dangerous is if you use both your email address and the same password at multiple sites. This is known as “credential stuffing,” and the implications should be clear: If an attacker knows that you used the same email and password at multiple sites, they can go from site to site (banking sites, your employer, Facebook, and more) and try to unlock your store of digital information.
So what can you do? The first thing to do is to check if your email has been compromised; chances are that it already has, either in this breach or another. Hunt’s site allows you to check your password, too, to see if it has turned up in Collection #1. If this makes you feel a little queasy—who is this Hunt guy, anyway?—you have a couple of options to make you feel safer: Read how Hunt anonymously stores passwords, or simply change your password. You can then check your old (hopefully unique) password to see if that turned up in the database. If it didn’t, relax.
If it did, you’ll want to start manually changing your password, and fast. We have some advice on how to deal with a data breach, too.
The tried-and-true protection against massive data breaches is, of course, to use a password manager. They usually cost a bit per month, but they can automatically generate impossible to guess passwords, which become even more complicated to crack when paired with two-factor authentication. Even a password manager can’t be considered totally secure, but it’s way more effective than using “12345678” for every site on the web.