In what could be the biggest data breach in recent times, over 772 million email addresses and 22 million unique passwords have been outed in a collection of files uploaded to cloud service MEGA. Calling it Collection #1, Microsoft’s regional director and MVP for developer security Troy Hunt, who revealed the breach first, said the dump was a “set of email addresses and passwords totalling 2,692,818,238 rows”. Also, in total, this adds up to “1,160,253,228 unique combinations of email addresses and passwords”.
A random check on haveibeenpwned.com, a site created by Hunt, showed that one of my email IDs has been outed via 18 breached sites. Thankfully, the passwords I could remember for the same ID are all safe.
In a blog post, “written for the masses”, Hunt said the collection had over 12,000 files adding up to 87GB of data. The same has since been deleted from MEGA. The emails were listed against breached sites. So the same email ID could be breached on many of the listed sites.
“Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed,” Hunt’s blog post said. It explained that if a password you use shows up here, then it is time to stop using it.
The risk, Hunt said, is of credential stuffing — “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts — using the email and password combinations. He said this method works where people are used to recycling passwords across different email IDs.
If your email ID appears in the breach, it is advised to change to a random password and switch on the two-factor authentication.