- Joined
- Mar 3, 2018
- Messages
- 1,713
Following the leak of 773 million records from what security researchers call "Collection #1" earlier this month, experts are now saying that Collections #2 - #5" contain even more information. The Hasso Plattner Institute says that "around 2.2 billion e-mail addresses and the associated passwords circulate through Collections # 1 to # 5," and Naked Security claims the newly uncovered collections represent about 845GB of data covering 25 billion records. Needless to say, if you happen to have an email account, checking to see if other services tied to that account have been compromised with identity checking websites like Have I Been Pwned or HPI's tool is probably a good idea. It's quick and painless, and I just found several compromised accounts across 2 of my email addresses, which is a testament to why you should never re-use passwords. Thanks to Schtask for the tip.
The obvious measure of these breaches is how much new data they represent, that which has not already been added to databases such as those amassed by HIBP or HPI. Have I Been Pwned? estimated the unique data in Collection #1 at around 140 million email addresses and at least 11 million unique passwords. HPI, meanwhile, estimates the number of new credentials at 750 million (it isn’t yet clear how many new passwords this includes)... When faced with these sorts of numbers, it’s tempting to shrug one’s shoulders and move on – most of these data breaches are old, so what harm might they be doing now? Initially, breached credentials are probably traded to give attackers access to the account on the service from which they were stolen. After that, they are quickly traded again to use as fuel for the epidemic of credential stuffing attacks. Credential stuffing thrives on our habit of reusing passwords - credentials for one service will often give a criminal access to other websites too. Remember that while plaintext passwords are pay-dirt for criminals, usernames and email addresses are also valuable because they give them something to aim at when trying a brute-force attack.
The obvious measure of these breaches is how much new data they represent, that which has not already been added to databases such as those amassed by HIBP or HPI. Have I Been Pwned? estimated the unique data in Collection #1 at around 140 million email addresses and at least 11 million unique passwords. HPI, meanwhile, estimates the number of new credentials at 750 million (it isn’t yet clear how many new passwords this includes)... When faced with these sorts of numbers, it’s tempting to shrug one’s shoulders and move on – most of these data breaches are old, so what harm might they be doing now? Initially, breached credentials are probably traded to give attackers access to the account on the service from which they were stolen. After that, they are quickly traded again to use as fuel for the epidemic of credential stuffing attacks. Credential stuffing thrives on our habit of reusing passwords - credentials for one service will often give a criminal access to other websites too. Remember that while plaintext passwords are pay-dirt for criminals, usernames and email addresses are also valuable because they give them something to aim at when trying a brute-force attack.