Massive hacks shouldn’t come as a huge shock to anyone anymore. Unfortunately, global-scale hacks are becoming both more frequent and more devastating with every passing year. We’ve seen NotPetya wipe out tens of billions of dollars and cripple worldwide infrastructure. Marriott and Starwood Hotels lost hundreds of millions of users’ personal data, including both financial information, and in some cases, passport data as well (in that particular case, hackers were inside the system for years snooping around before the intrusion was detected and the security breach patched). These mega-hacks are becoming more the rule than the exception. So it is with Collection #1 — it’s being touted as the largest-ever trove of breached data found in one place. Here’s what you need to know:
In mid-December, what has since been dubbed Collection #1 was uploaded to a popular cloud service, MEGA. Totaling more than 87GB in all, the collection contained 12,000+ separate files and was being circulated/touted on popular hacking forums.
Troy Hunt, who runs the Have I Been Pwned breach-notification service performed a cursory investigation and publicized the hack more widely for consumers and security personnel to take evasive action.
Hunt called the upload Collection #1, and wrote that it was probably ““made up of many different individual data breaches from literally thousands of different sources”, as opposed to being the work/result of a singular hack of a huge service.
The data almost assuredly included the 360 million MySpace accounts hacked in 2008 or the 164m LinkedIn accounts hacked in 2016. That said, there was somewhere on the order of 140 million email addresses in this breach that Hunt’s service had never seen before.
Taken together, the new(er) breached data combined with the prior monsters made for “1,160,253,228 unique combinations of email addresses and passwords…and 21,222,975 unique passwords”.
What you need to know
The primary culprit for massive breaches like this is password reuse. Even some of the most security-conscious folks are guilty of this from time-to-time — in a bid for ease of use, we reuse the same passwords for multiple sits and services. Even when passwords are extremely complex and sufficiently long, reusing the same password for multiple services means that when any of those services is breached, every service you’re using that password for is now vulnerable.
Hackers will typically use a ‘credential stuffing’ attack to use paired email addresses and passwords to flood services and try to gain access to your accounts. The more times you’ve reused a password, the more services this type of attack will grant hackers access to.
What should you do? For starters, stop reusing passwords. Seriously — stop it. Secondly, start using password managers like Lastpass or 1password. Vox put together a great post on why — I’d recommend checking it out, but the base level is that password managers are very secure, and they generate unique and complex passwords for all your services. Third, check out Hunt’s site Have I Been Pwned to check if your email address or one of your passwords has been hacked so you can take necessary evasive action. And finally, for businesses that don’t have robust cybersecurity departments, consider using a managed IT service provider like Leverage to own that domain for you. Breaches are too expensive and the sophistication of attacks are simply too high for most small- and medium-sized businesses to handle on their own — that’s where we come in.