In what might be the biggest data breach of all time, 773 million email addresses and 27 million passwords have been posted to a hacking forum, Wired reported Wednesday night.
The hacked material was briefly available on the cloud service Mega, then showed up in a folder labeled “Collection #1” on a popular hacking forum, says Troy Hunt, a security researcher who operates the site Have I Been Pwned? (There, you can enter your email address or password and see how many breaches you’ve been a part of.)
It’s unclear precisely where the data came from, but it’s apparently not from a single source, as in the infamous Equifax breach. Collection #1 seems to be an aggregation of more than 2,000 hacked databases whose protective hashing — or encryption — was compromised. “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt told Wired. “There’s no obvious patterns, just maximum exposure.”
It appears the collection was designed to be used in a “credential-stuffing” attack, in which hackers use automation to put emails and passwords into as many sites as possible.
“While it doesn’t appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone,” says Brian Barrett of Wired. “Around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.”
On his blog, Hunt said his own information is part of the breach “and it’s accurate; right email address and a password I used many years ago.”
Experts advise the following to protect your online security: Create complex passwords; don’t use passwords across multiple sites; employ two-factor authentication whenever possible to prevent hackers from accessing your login data; change your passwords frequently; or employ a password manager, software that will create complex passwords for you and encrypt them.
Above all, don’t repeat passwords, experts say; go super-analog if you have to. “It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web,” said Hunt.