![](\"https:\/\/media.wired.com\/photos\/5c3fd497da9f412c5578c531\/master\/pass\/folders.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Thu, 17 Jan 2019 01:12:58 +0000<\/strong><\/p>\n There are breaches, <\/span>and there are megabreaches<\/a>, and there\u2019s Equifax<\/a>. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.<\/p>\n The data set was first reported by security researcher Troy Hunt<\/a>, who maintains Have I Been Pwned<\/a>, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt's menagerie, and it\u2019s not particularly close.<\/p>\n If anything, the above numbers belie the real volume of the breach, as they reflect Hunt\u2019s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.<\/p>\n The trove appeared briefly on MEGA, the cloud service, and persisted on what Hunt refers to as \u201ca popular hacking forum.\u201d It sat in a folder called Collection #1, which contained over 12,000 files that weigh in at over 87 gigabytes. While it\u2019s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing<\/a> has been cracked.<\/p>\n \u201cIt just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,\u201d Hunt tells WIRED. \u201cThere\u2019s no obvious patterns, just maximum exposure.\u201d<\/p>\n That sort of Voltron breach has happened before<\/a>, but never on this scale. In fact, not only is this the largest breach to become public, it\u2019s second only to Yahoo\u2019s pair of incidents<\/a>\u2014which affected 1 billion and 3 billion users, respectively\u2014in size. Fortunately, the stolen Yahoo data hasn\u2019t surfaced. Yet.<\/p>\n The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across the whole wide internet.<\/p>\n The silver lining in Collection #1 going public is that you can definitively find out if your email and password were among the impacted accounts. Hunt has already loaded them into Have I Been Pwned<\/a>; just type in your email address and keep those fingers crossed. While you\u2019re there you can also find out how many previous breaches you\u2019ve been a victim of. Whatever password you\u2019re using on those accounts, change it.<\/p>\n Have I Been Pwned also introduced a password-search feature<\/a> a year and a half ago; you can just type in whatever passwords go with your most sensitive accounts to see if they\u2019re out in the open. If they are, change them.<\/p>\n And while you\u2019re at it, get a password manager<\/a>. It\u2019s well past time.<\/p>\n Pretty darn serious! While it doesn't appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving. First, around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt\u2019s database, meaning they\u2019re not just duplicates from prior megabreaches.<\/p>\n Then there\u2019s the way in which those passwords are saved in Collection #1. \u201cThese are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use,\u201d says Hunt. Instead, the only technical prowess someone with access to the folders needs to break into your accounts is the ability to scroll and click.<\/p>\n And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites\u2014until it got taken down\u2014and then on a public hacking site. They weren\u2019t even for sale; they were just available for anyone to take.<\/p>\n The usual advice for protecting yourself applies<\/a>. Never reuse passwords across multiple sites; it increases your exposure by orders of magnitude. Get a password manager. Have I Been Pwned integrates directly into 1Password\u2014automatically checking all of your passwords against its database\u2014but you\u2019ve got no shortage of good options. Enable app-based two-factor authentication<\/a> on as many accounts as you can, so that a password isn\u2019t your only line of defense. And if you do find your email address or one of your passwords in Have I Been Pwned, at least know that you\u2019re in good company.<\/p>\n