“The collection of over 2,000 breached databases were recently uploaded to a cloud, with dehashed passwords and over 1 billion combinations”
Let this sink in for a moment — nearly 2.7 billion rows of information, 773 million unique email IDs, 21 million decrypted passwords, and a total 87GB in file size of just login credentials. This is the volume of breached data that was uploaded to the Collection #1 data breach folder, reported first by security researcher Troy Hunt. In what happens to be the third largest data breach collection by volume (behind Yahoo’s tumultuous breaches accounting for 1 billion and 3 billion email addresses), the Collection #1 data breach needs you to sit up and take notice, because unless you’re exceptionally lucky, at least one of your passwords have certainly been exposed.
Hunt, who operates the website Have I Been Pwned? (HIBP), reported this massive breach. It is a sort-of gigabreach, where the overall data set was actually composed from multiple data breaches by many hackers. A total of 772.9 million unique email addresses and 21.2 million unique passwords were scrolled and added to HIBP by Hunt, and in case you already haven’t, you should simply log on to HIBP and check exactly how safe your email addresses and passwords are, till now. Of this entire collective, nearly 140 million email addresses and over 10 million passwords were unique additions to the HIBP database, meaning at least these many new users have been breached.
The Collection #1 data set was uploaded on cloud service MEGA, and as Hunt mentions, was being circulated on a “popular hacking forum where the data was being socialised.” The total set of data is actually at least two years old, so chances are that it is roughly outdated to a certain extent. Nevertheless, it still remains heavily relevant, particularly noticing the way that users typically use passwords. Even for those who do not use the same password everywhere (if you are one, change it already), an old password is highly likely to be recirculated back into action by the same user on some other forum.
How hackers track and make use of this is through a process known as credential stuffing. Put simply, credential stuffing is essentially a brute force application that uses combos, or breached username and password combinations across a wide range of portals — financial, entertainment, private storage databases, etc., to breach user privacy and gain access to their accounts. The Collection #1 folder happens to include some 2.7 billion of them, which may be acquired by hackers and subsequently put to use on a trial-and-error basis across multiple platforms. For this to work, it is not necessary for specific platforms to have undergone breaches, and credential stuffing essentially works on a one-on-one basis. It may often appear otherwise, for many people use their old/less important passwords for services that they deem less imperative. For instance, as Hunt states, Spotify.
While all this is alarming enough, perhaps what makes this a bit more alarming is that all the passwords are stored as plain text files and have been dehashed from their encryption. When passwords are generated and transferred, they are done in encrypted, randomised strings, which is otherwise known as hashing. In the format in which the Collection #1 database stores all the information, it is readable as plain text, which in turn can mean that literally anyone that gets their hands on the information can see, read, and use it.
The final straw, however, was shared by Gizmodo, which cites security researcher Brian Krebs to inform us that Collection #1, as the name suggests, is only the first of such collections, and the person in ownership of this folder actually has at least six more breached batches of data, all of which sum up to a claimed one terabyte of data. If a mere 87GB were enough to stash in 2.7 billion lines of breached mail addresses and passwords, 1TB would be sufficient to store an astonishing collection of over 30 billion addresses and passwords.
This essentially means, that even if your email addresses and passwords did not appear in the Collection #1 breach and you’ve somehow remained safe, we’ve only got to know of about nine percent of the entire volume of credentials, which have been sacrificed.