A cybersecurity researcher at Microsoft has exposed the largest-ever data breach collection in history of more than 770 million email addresses and passwords.
The hacked data was loaded onto the Have I Been Pwned (HIBP) database around the middle of December 2018.
Regional Director at Microsoft Troy Hunt said, “In total, there are 1,160,253,228 unique combinations of email addresses and passwords and “21,222,975 unique passwords,” The Guardian reported this week.
Hunt leads the “Have I Been Pwned (HIBP) breach-notification service, which collects various data breaches so individuals can determine of they have fallen prey to online hackers,” according to Forbes.
Hunt, who calls the data upload “Collection #1,” said, “It was probably made up of many different individual data breaches from literally thousands of different sources, rather than representing a single hack of a very large service.”
— Sentinel (@SentinelInfo) January 17, 2019
Of the millions of email addresses identified in this particular collection, Hunt said “many were previously exposed in prior breaches, including the 2008 hack on MySpace, where more than 360 million were effected and the LinkedIn hack in 2016, where 140 million were hit,” Forbes stated.
According to Hunt, there are also new email addresses involved in this breach. He said, “Those email addresses could come from one large unreported data breach, many smaller ones, or a combination of both.”
Hunt said, “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work.”
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem,” Hunt added.
Jake Moore, a cybersecurity expert at ESET UK, said, “It is quite a feat not to have had an email address or other personal information breached over the past decade.”
Moore stressed the importance of “using password managers for each and every service used,” the Guardian reported.
Rami Essaid, co-founder of Distil, said, “Password dumps create a ripple effect of organizations spending precious time and resources on damage control. The massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account.”
Moore said, “If you’re one of those people who think it won’t happen to you, then it probably already has. Password-managing applications are now widely accepted, and they are much easier to integrate into other platforms than before.”
He added, “Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.”