What some are calling the largest data breach in history is actually a collection of several old data breaches—that according to Ars Technica. Called Collection 1, the data cache exposes nearly 773 million unique emails, and about 21 million unique passwords for third-party sites.
According to Gizmodo, Troy Hunt, prominent security researcher and founder of Have I Been Pwned, said the data was posted in key forums, seemingly representing more than 2,000 databases. “The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords,” writes Gizmodo.
Nevertheless, despite the gargantuan volume, much of this same data was exposed previously; about 663 million of the email addresses were already in the Have I Been Pwned database. But this trove of user information certainly paves the way for hackers to wreak havoc.
Ars Technica writes, “In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords.”
Hackers use compromised emails and passwords in a practice known as ‘credential stuffing,’ where they cross-reference the information to try to access other accounts (bank accounts, phone accounts, DMV records, etc). Hackers rely on this tactic because many people use the same passwords over and over again.
The big takeaway: Don’t use the same password on multiple sites. Experts suggest using a unique password for each individual account to keep accounts secure, and of course using multi-factor authentication whenever possible. Awareness of phishing tactics is also critical. Businesses should ensure employees are trained in how to recognize sites and communications that pose risk.
Get the full story at Ars Technica.