Appearing on the dark web earlier this month, ‘Collection #1’ is the largest collective data breach on the internet. Consisting of nearly 775 million unique email addresses and over 20 million unique passwords, this archive aggregates information from over 2000 previous data breaches. More concerning is the fact that Collection #1 was temporarily made available at no cost, increasing the likelihood that this information is in the hands of any number of malicious actors.
The collection contains only email addresses and passwords: credit card information, real names, social security numbers, addresses, and similar information has not been released as a part of this breach. However, without proper account management, an email address and password are all a hacker needs to gain access to many important accounts that could leave you vulnerable to further exploitation.
Hackers can use the information in Collection #1 in attacks called ‘credential stuffing’, in which email/password pairs will be used to attempt to log in to various online services. This can be more effective than ‘credential cracking’ (where hackers will attempt to brute-force accounts by guessing commonly-used passwords until they get lucky) because they already have the passwords and just need to find what they unlock. This can be particularly devastating since most people use the same email/password combination across several online accounts (which Nodal does not recommend).
Securing Your Accounts
The first step is to determine whether your accounts have been compromised in the first place. As explained in Nodal’s earlier look at data breaches, the site ‘Have I Been Pwned?’ is a great resource for identifying vulnerable passwords and accounts. Collection #1’s existence was uncovered by Troy Hunt, the founder of ‘Have I Been Pwned?’, so the site will contain up-to-date information on exploited accounts.
If you suspect your account has been compromised, you should update your login credentials immediately. It takes time for hackers to try and access these accounts, so the sooner you change the locks, the more secure you’ll be. Nodal recommends using strong passwords, and using different passwords for different accounts. A password-management app like 1Password can help keep passwords straight across multiple accounts, so there’s no excuse not to keep them unique.
An additional step is implementing Two-Factor Authentication whenever possible. Even if a hacker has your email address and password, 2FA will prevent them from being able to access the account. Nodal still recommends updating compromised login credentials even on accounts with 2FA enabled, for the sake of additional security.
For more information on the specifics of the data breach and recommendations for securing your account, Lifehacker has a report on the subject here. For a more technical description of Collection #1 and how it was found, check out Troy Hunt’s blog. If you have questions about how Collection #1 may affect your accounts, feel free to reach out to Nodal!