Now that I’ve got your attention…  Well, the operative number is 773 million, so, I guess my headline for this blog was only 227 million short (who’s counting…)

Just two business weeks into the New Year, alas we encounter one of the biggest data breaches (well, a leak) in recent many years. Sadly, this wasn’t some extravagant story invoking the wonders of advance coding and dark hacking techniques. No. Rather, this was a dump of perhaps many many months of broad hacks, attacks, infiltrations, and exploitations of neglected data security (or lack of it).  Now, I say “sadly” simply because in several recent successful breaches/leaks (which likely are included in this monster-leak) the databases were simply wide open, just sitting there, waiting for someone – anyone – to come along and take them as if they were public domain.  But, I digress.

Microsoft Regional Director, MVP, and security colleague, Troy Hunt, confirmed the veracity and scale of the leak, then took to the interwebs to report and warn of this massive leak consisting of 773 million unique email IDs and 21 million unique passwords many of which have never yet been seen in any of the already-compromised-account databases, including his (more on that a bit later). Troy refers to this as Collection #1 since the top-level folder structure is named Collection #1…  So, does this imply there might be a Collection #2, #3, and so on?

Apparently, multiple folks contacted Troy (because of his side job, which is as much a labor of love as it is tremendous public service) to alert him to a trove of 12,000 files totaling 87 GB in size, and consisting of nearly 2.7 billion records.  You see, Troy is also the inventor and host of “HaveIBeenPwned?” or “HIBP” which is a free cyber-public-service site (and it’s safe) that allows anyone to check if their email address (or even their password) have ever been compromised and circulated into the wild.  You can subscribe to his list with your email address, and be alerted if ever your username and password should be flagged by his service.

Now, the interesting and significant part of this is that Troy digested the entirety of the Collection #1 dump, deduplicated it, and determined the following:

  • Of the 2.7 billion records, 773 million are unique, and
  • 140 million email addresses, and, over 10 million passwords have never been seen in the HaveIBeenPwned database before.

Also, Collection #1 looks to be the systematic cracking of tons of online services of all sizes, purposes and descriptions. Further, the content appears to have all run through brute-force password guessing programs that undid the hashing of millions and millions of encrypted passwords (meaning, these are now available in a clear-text form). This type of trove is highly desirable to  “credential stuffers” who just fire these username/password combinations at services they want to attack until they get in.

So is this serious?  um, YES!

While the trove doesn’t appear to include more sensitive information such as credit card numbers, social security numbers, personal and health data, the shear volume and uniqueness of this Collection #1 is historic.  Now, compromised usernames and passwords often circulate the internet for years and years.

Heck, my long defunct AOL email address is still floating around the webs since the time of the 3 billion victim Yahoo breach a decade ago.  Hence, that address still shows up in HaveIBeenPwned?.

But a few characteristics make this one especially unnerving:

  1. First, is that 140 million email accounts and over 10 million unique passwords in Collection #1 are new to HaveIBeenPwned?.  Meaning, these are not duplicates or regurgitations from previous breaches.
  2. Next is the way in which the passwords are saved in Collection #1.  They’re all plain text passwords. If  you consider the Dropbox breach, there were about 68 million unique email addresses, but all the passwords were cryptographic hashes making them nearly impossible to use (especially for the “credential stuffers”),  Instead, Collection #1’s contents and organization is structured such that the only technical knowledge one needs to break into your accounts is the ability to scroll and click.

In other words, this is very bad because it opens the door to a completely lower level of attacker.

Things you might want to do (aka, things that you really should do) immediately are the following:

  1. Check your email addresses against the HaveIBeenPwned?  That is: https://haveibeenpwned.com for the click leery.
  2. If you have ever used the same password (passphrase) for more than one account, then change them.  You want separate complex pass-phrases for every account.  If you can’t manage multiple, complex passwords, then go get yourselves a password management tool.  I use 1Password.  It’s not a free tool, but it works perfectly on all my Windows, Macs, Androids and iPhones. Even better, is the fact that it’s linked to Troy Hunt’s HaveIBeenPwned? site to alert me immediately if my username, email or password has been breached and introduced into the dark net.  It also includes complex password generator and it will nag me if I use the same password for more than one account.  Yes, we all make mistakes.
  3. Wherever possible, enable multi-factor authentication (some refer to this as two-step authentication).  Many social sites and online stores have multi-factor authentication or two-step validation options – enable them.  How does it work? When you log in with your username and password (you know something), the host system then requires that you use your phone (you have something) to answer the second factor.  Some systems require you type in the number that’s generated by your second-factor (the phone you are carrying) or to simply click accept when your phone prompts you with the message sent by the hosting server.  There are several variants of multi-factor authentication (the phone presently being the most efficient and easy to use). But, enabling multi-factor authentication to your personal accounts (AND within your workplace) will eliminate nearly 80% of the cyber hacker threat. I’d argue this percentage is more like 90% since nearly every attack revolves around compromising and gaining a user’s access, but Microsoft, Verizon, IBM and others all seem to agree with the 80% figure based on their research and surveys.

Well that’s it for now, but stay tuned as we learn soon enough if there is a Collection #2 out there.  Again, change your password, enable multi-factor authentication and don’t use the same password for multiple services.

Till next time,

Ed