They’re calling it Collection #1, and more collections are reportedly on the way.
First made public by security consultant Troy Hunt, the data dump comes from multiple different sources – perhaps more than 2,000 – and amounts to 87GB of data in all.
To make matters worse, the passwords are in plain text and easily readable.
The package was spotted being hawked around for sale among hacker communities, and could be used for credential stuffing – a technique where bad actors try multiple email address and password combinations on as many different apps and services as they can.
“People take lists like these that contain our email addresses and passwords then they attempt to see where else they work,” says Hunt.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.”
Exactly where these passwords and email addresses have come from, and which accounts they relate to, isn’t clear.
What we do know is that it’s the biggest single batch of personal login data yet compiled, and it shows the danger of using the same password everywhere.
While the likes of Google and Apple have security technicians savvy enough to keep your passwords from leaking out, the same can’t be said for all those fun apps, forums, free trials, and throwaway services we sign up for.
The security behind these other apps and sites is probably not up to the standard of a Microsoft, Google, Apple, or Amazon account – but if we’re using the same email and password combination across them all, the weakest link exposes everything.
To see if your email address is in the list, check out Troy Hunt’s Have I Been Pwned? site, which collates addresses out in this breach and many others. Whether or not you get a match, it’s a good idea to change your password to something completely new.
So with yet another data breach hitting the headlines, what hope is there for the average user trying to keep track of login details for dozens of accounts?
It’s a good idea to sign up for a password manager service – run a quick web search to find some suggestions. These apps will securely store your password and login details across every service you use, and make sure they’re all different and very hard to crack.
If signing up for a password manager service sounds like a lot of hard work (although it isn’t really), get your web browser to remember your passwords for you, and to suggest strong passwords whenever you sign up for a new service.
Both Chrome and Safari do this now, and Safari even warns you when you’re reusing a password you’ve got in place somewhere else.
You should also switch on two-factor authentication on as many apps and sites as possible. This means other parties need two bits of secret data – your password and something else – to access an account.
Typically you get a code sent to your phone via SMS, or have to generate a code in a separate app on your phone, when you sign in on a device you’ve not used before.
The crucial bit is that your password and email address on their own aren’t enough for a hacker to gain access to your account – something else is needed as well. It’s an effective way of protecting against data breaches like this one, and this site can help.
These data breaches are likely to continue, but with a few simple common sense steps you can limit the risk of your accounts being accessed.