Data breach just might be the word of 2019. We're not even one month in, and already one of the biggest data breaches to date was just made public.
This one's far larger than last year's newsworthy breaches from Marriott and Facebook. It exposed 773 million passwords and emails on the dark web. That means if you were in it, your email and passwords are floating around out there.
About the breach, called Collection #1
The breach came to light thanks to Troy Hunt, a security expert who maintains a database of data breaches called Have I Been Pwned. Hunt works with other security experts to grab various data breaches circulating on the dark web, then loads them into his database. Anyone can search any email on his website to see if it's been included in one of those breaches.
Unlike recent data breaches, which are usually limited to a single site, this one contains emails and passwords from many breaches. It's a mega compilation.
"It's made up of many different individual data breaches from literally thousands of different sources," Hunt wrote about the breach on his blog. For this reason, he's named it Collection #1. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see," Hunt explains.
How to check to see if your info is in it
Go to haveibeenpwned.com and search your email. You'll see if you were in this one (it's called Collection #1) and any others in his database, which goes back several years.
Were you in it? Don't feel badly. Millions of people were. Now it's time to do something about it. (And lucky you if you weren't.)
Check pwned passwords to see if your favorite password has been exposed. It probably was. It's time to change your passwords. Start with the password you use everywhere.
It's time to stop reusing that password. You should be use a unique password on every single site on which you have an account. You don't have to remember tons of unique passwords either. That's what password managers are for.
Wirecutter recommends LastPass Premium for most people and 1Password for Mac and iOS users. They say: "A password manager makes you less vulnerable online by generating strong random passwords, syncing them securely across your browsers and devices, and filling them in automatically."
Password managers take some set-up time, but it's well worth it to stop hackers in their tracks. Otherwise it's far too easy for hackers to get into your accounts and start down the path of identity theft.
Why this mega-breach is super bad
No one actually knows for sure which sites these email addresses and passwords were stolen from. Hunt published a list of websites based on what he could piece together, but he says it is likely incomplete.
The sources don't really matter though. Hackers couldn't care less where these emails and passwords came. They just want passwords and emails so they can try them to log in to other sites. They've got software and scripts that do all the work for them, trying thousands of password and email combos a minute.
In other words, Collection #1 is a goldmine for hackers. They've got lots of emails and lots of passwords associate with those emails. They can plug them into anywhere and see if they work. And since many people use the same password everywhere, it's easy to get in. Literally any account that requires an email address and password is fair game.
The data is extremely clean. And that's a bad thing.
Collection #1 is the largest breach Hunt has ever loaded into the HaveIBeenPwnd database. What's more, the data is also some of the "cleanest."
The data that gets leaked or exposed from data breaches can sometimes be messy. It circulates on the dark web in various formats, some of which are more readable than others depending on what cyber criminals have in their hacker toolkits.
For some data breaches, it might take a pro-level hacker to decrypt or dehash emails and passwords. But getting the emails and passwords in Collection #1 is just far simpler than that.
The passwords and emails are neatly organized into rows. And, if an email appears multiple times, those emails and password combos are grouped together in the files. Whoever put all this data together made it really easy for even the most inexperienced hacker to work with.
Chances are, if you were in this breach, multiple passwords were exposed. Even more reason to stop using that same one you use everywhere. Because it's probably already out there.
Protecting your passwords and personal data
To recap: Change your passwords. Everywhere. Stop using the same password you've used since 2008. Get a password manager. Make it do the work for you by generating strong passwords and storing them for you. Keep your passwords locked down to make it harder for hackers to fly fast and loose with your data.