In one of the biggest data breaches ever, over 772 million email addresses and 22 million unique passwords have been dumped online. The data has been outed in a collection of files which have been uploaded to cloud service MEGA. Calling it the Collection #1, Microsoft’s regional director and MVP for developer security Troy Hunt said the data dump was “a set of email addresses and passwords totalling to 2,692,818,238 rows” or 2.69 billion rows. Troy Hunt was one of the first people to identify this breach and has also pointed out the data dump adds up to 1,160,253,228 unique combinations of email addresses and passwords” or 1.16 billion.
As of now, Troy Hunt has pointed out that this is just the first collection of the data dump, and there could be many others waiting to be discovered. The current scale of the data dump and data breach is unprecedented. The data breach, however, includes 800 million email addresses and passwords, with many of them used over and over on the internet. If taken together, the data breach can be used to attack people who have their data “pwned”.
The TroyHunt dot com website which Troy Hunt states have been “written for the masses” reads the following excerpt, “In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don’t always neatly format their data dumps into an easily consumable fashion.”
The blog post also says, “Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed,” which essentially meant of one of your passwords showed up on the Have I Been Pwned (HIBP) website, then its probably a good time to change it into something unique.
The troyhunt website also stated that the data dump files go back as far as 2008. This means the data breach may have occurred then and has a major possibility that the breach can occur anytime now. In short, the data dump puts a huge number of websites at risk, along with your data.
The major risk here, as pointed out by Hunt, is of credential stuffing – “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts – using email and password combinations.” Hunt says this method works where people are just recycling their old passwords across different email ids.
How to check if my email has been exposed
Log on to the website haveibeenpwned.com, you will see a data entry box where you can enter your concerned email address.
Click on the pwned? button and it will show if your address is present on any breached sites. If yes, then its time to change your password to something unique.
Another idea here is if your email ID has appeared in the breach, we would advise our readers to change to a random password and also switch to two-factor authentication.