If you’ve been using the same password in your email for some time, this might be the time to change it. A new data leak has exposed more than 1 billion unique combinations of passwords and accounts on the web. The finding was first reported by security expert Troy Hunt, who heard from sources that information had been made available on the MEGA cloud storage service and also in a hacker forum.
According to Hunt, data from the Collection #1 call was split into 12,000 separate files, totaling more than 87 GB of documents. The lists bring, in all, 2.7 billion lines of e-mails and passwords, which generate 1.16 billion unique combinations. The information gathered in these files came from more than 2,000 different sources, which had security breached by intruders sometime in 2015.
It is even estimated that most of the information contained in the documents had already been leaked. Still, more than 10 million passwords and 140 million addresses listed were considered “new” by Hunt.
“It just seems like a random selection of websites and databases made just to maximize the number of credentials made available to hackers,” he told WIRED magazine. The information, however, is not necessarily recent: in his blog, Hunt also reported that he found his data in the middle of the list, but pointed out that in his case, the passwords were all older. Still, it’s best to be warned.
The expert states that he realized the extent of the problem from the number of people who came in contact with him and from a publication in a known forum. “Concerning the risk it poses, more people with the data obviously increase the likelihood that they will be used for malicious purposes,” says Hunt.
How do I know if an email was in Collection #1?
The easiest way to check if your email was in one of the Collection # 1 databases is to do a search on Have I Been Pwned. The site has registered the millions of emails in the directory and can indicate if you were one of the affected people.
The service also offers Pwned Passwords, which allows you to do searches for the passwords you use. Thus, it is possible to know how many times they have appeared in known leaks and have an idea about the safety they offer.
If you have found any current information on the site, the most cautious decision is to change your passwords in the indicated service. To avoid problems in the future with tactics such as “credential stuffing,” the trick is to avoid using the same password on more than one platform.