Incident Of The Week: Massive 'Collection #1' Data Breach Exposes 773 Million Emails

Some 773 million email addresses and nearly 22 million passwords have been leaked and distributed in a folder dubbed "Collection #1," on the MEGA cloud service, according to security blogger Troy Hunt.

This translates to more than 87 GB of data, said Hunt, who also works as a regional director at Microsoft. He said he cleaned up the data, which was built up from numerous data breaches, allegedly from thousands of sources dating back to 2008, Mashable reported. Hunt said he then loaded it onto his free breach notification site Have I Been Pwned (HIBP).

The data has since been removed from MEGA.

Hunt said he too, has been a victim of data breaches. "Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public," Hunt wrote. "Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again."

The data includes "dehashed" passwords that Hunt said "have been cracked and converted back to plain text." This makes them easy to use instead of them being cryptographically hashed as they often are when sites are breached, according to Forbes.

After receiving a tip from one of his contacts, Hunt found the "data was being socialized" on a popular hacking forum. 

This is yet another breach of proportions that were unimaginable only a few years ago, Stan Lowe, global CISO of Zscaler, told SC Magazine.

So What Does This Breach Mean For The Enterprise?

Hunt tells Cyber Security Hub, "The thing about enterprise versus consumer is that at the end of the day, it’s still all about people and people take their security practices home and to work with them."

"Very often, the password they use on public websites that are breached is very similar if not the same to the one they use in the enterprise," he adds.

Hunt also explains what organizations can do to protect themselves from a attack like this one:

"Robust password requirements are important and that doesn’t mean asking people to use a mix of character types. Blocking known bad passwords that have been exposed in a data breach, for example, is increasingly important."

"There’s also increasingly good enterprise support for technologies such as U2F; requiring a physical key alongside a password has never been easier and it significantly strengthens an organisation’s security posture," Hunt says. 

How to Find Out if You've Been a Victim

If you are one of the 2.2 million people that already use Hunt's Have I Been Pwned site, you should have received a notification. Otherwise, you can go to the site, type in your email address and search, then scroll down to the bottom of the page. The site will let you know if your email address is affected by the Collection #1 breach, and you can also see if your details were stolen in any other breaches as well.

To find out if your password has been compromised, you separately need to check Pwned Passwords– a feature recently built into the site. This feature also helps you to use strong passwords. If your password appears there, it’s safe to assume others are using it and your accounts could be easily breached.

While Hunt writes that he can’t say exactly which password may have been exposed in the Collection #1 breach, “I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.”

If you have a bunch of passwords, checking all of them could be time-consuming. In this case, Hunt suggests 1Password's Watchtower feature, which can take all your stored passwords and check them against Pwned Passwords at once. He also suggests using a password manager, since it is “a secure vault for all your secrets to be stored … and its sole purpose is to focus on keeping them safe and secure.”