Collection #1: The Monster Breach

Data breaches have become a no longer ignorable fact of life. A fair amount of articles on this publication have dealt with breaches in their varying forms. From the record-breaking Equifax breach which was unrivaled in scale, to how much cash is to be made by hackers selling data acquired from a breach, 1.7 million USD for those interested. Even the consequences facing companies if breached. While the Equifax breach set all kinds of records for all the wrong reasons, news surfacing about “Collection #1” smashes all those nefarious records.

On January 17, 2019, security researcher Troy Hunt published an article detailing the discovery of email addresses and passwords exposed online. Mr. Hunt has called the breach “Collection #1” and the numbers are truly staggering. It consists of email addresses and passwords totaling 2,692,818,238 rows. In total, there are 1,160,253,228 unique combinations of email addresses and passwords with unique email addresses totaling 772,904,991. Then there are 21,222,975 unique passwords. It took the writer three read through attempts to try to make sense of the numbers and they are still unfathomable.

In total there is approximately 87GB of data in over 12,000 folders which was initially discovered on the cloud service, Mega. It is yet to be determined where exactly all the data originated from if it is even possible to do accurately at all. However, it is claimed to be a massive collection of over 2,000 leaked databases that contain passwords whose protective hashing has been cracked. Protective hashing is the process by which cached passwords are converted into a collection of cryptographic hashes with hashes been a collection of random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being easily discernible.

collection1 the data breach

Password hashing has many advantages with one of those being that if a hacker steals the hashed password the random data cannot be reversed to the normal text the user entered in creating the password. It is not unbreakable though. There already exists a large database of precomputed hashes to find the input of stolen password hashes. Once the hash has been decrypted the email and password combinations can be used in credential stuffing attacks. These attacks rely on attackers essentially throwing email and password combinations at a given site or service. The process is generally automated and preys on individuals who use the same password for multiple websites.

Could You Be Affected?

Given the sheer amount of data which has been exposed online assuming you will not be affected may be foolish. This is an incredibly serious security concern even though it seems no other data, like credit card details and identification numbers, were leaked. Luckily, Troy Hunt is the creator of the website, Have I Been Pwned, which allows anybody to search whether your own email or password has been compromised by a breach at any point. Currently, all the 87GB of data discovered has been loaded onto the website. Simply enter your email address and hope. If you have had your email exposed online there are measures you can take, the first being it is time to change your password and use more than one. This may seem like a chore but is better than struggling with the ramifications of identity theft.

What users can also do is download one of the numerous password manager software packages available. A password manager provides you with a secure vault for all your passwords to be stored. Many products also allow for the storing not of credit card and banking information securely along with your passwords. The sole purpose of such software is to keep passwords safe. Another advantage to password managers is they actually make logging into websites and apps easier. They are one of the few exceptions to the rule that adding more security to things makes life more difficult.

Overall Impact of Collection #1

One of the more troubling characteristics of this breach, it can be argued the entire affair is troubling, is that Mr. Hunt reported that around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database. This means they are not duplicates of other breaches, a tactic used by hackers to entice buyers for the data by trumping up the numbers by duplicating data. Also, this data was freely available whether, on Mega, it has subsequently been removed, or on popular hacking forums.

As the passwords were all in plain text another warning siren should be going off in reader’s heads. Hunt explains,

“These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use,”

This shows that those behind the breach have technical prowess and have simultaneously allowed easier for script kiddies, inexperienced hackers with little technical knowledge, to abuse.

As mentioned above to make your online security more robust it is advised to use a password manager. Users are further advised to use two-factor authentication where possible. And please do not use the same password for every website you subscribe to, pay for, or simply use free features of. It is important to also remember that no security measure is unbreakable. Users should focus on making things as difficult as humanly possible for hackers. If it is too difficult to break it is often not worth the effort.