The Have I Been Pwned? (HIBP) website (haveibeenpwned.com) has revealed another huge cache of breached email addresses and passwords discovered circulating among criminals last week. Named Collection #1, its statistics are as impressive as they are worrying: 87GB of data, 12,000 files, and 1.16 billion unique combinations of email addresses and passwords.
After cleaning up the data, security researcher Troy Hunt reckons 773 million email addresses are unique, as are 21 million of the passwords, which is to say appearing in unhashed form only once within the cache. Hunt said the data was discovered by “multiple people” on the MEGA cloud service being advertised as a collection made up of 2,000 or more individual data breaches stretching back some time.
Collection #1 data breach: What to do?
1. Check if your email is breached
To check whether your email addresses are in this cache (or any previous breach discovery), run a search using HIBP. In case your email address was found in a data breach where passwords were also stolen, such as the recent Quora data breach, then change your password for that site, if you haven’t already. Of course, the sooner you change your password the better.
2. Email alerts for better security
Signing up for email alerts gives you a chance to respond swiftly to future compromises or you could also use a browser or password manager that is integrated with HIBP.
3. Know if your password has been comprised
If you want to test if your go-to passwords have been involved in any breaches, HIBP has a search tool for that too – Pwned Passwords. You enter a password and the site tells you if it’s appeared in any breaches. For example, Pwned Password search revealed the incredibly weak password ‘elvispresley’ has appeared 3,800 times in its database which means that anyone using it should use something else asap. NakedSecurity constantly investigates breaches and advises users on cybersecurity best practices.
4. Prevent yourself from becoming a victim, use a password manager
To give your passwords the best possible chance of not appearing on Pwned Passwords, use a properly secured password manager that will create and store secure passwords.
(Sunil Sharma is Managing Director – Sales, India & SAARC, Sophos)