2,692,818,238 rows of email IDs and passwords are listed in a single database online.
OK. This may look scary. But don’t panic as yet. However, is sure should be a concern to you. Well, hold your breath. This article is about creating awareness and letting you know if you were part of any data breach, big or small. And if you were, which ones were you leaked in.
Collection #1. This is the name given by Australian Troy Hunt who is a Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. What is this? It is a database collection of the number of emails and passwords that were leaked, hacked, stolen, whatever you want to name it. The number that filled this database? It’s no joke. A whopping seven hundred and seventy-three million. Yes, 773 million, and probably counting. And the database is hosting the information from breaches as old as 2008.
According to Hunt’s database, to date, there are 773 million email addresses and passwords that were leaked out in all of the data breaches that are known to date. Hunt keeps a tab on most of the leaked data online and lists a record database. His present database is now filled with 2,692,818,238 rows of email IDs and passwords. It's made up of many different individual data breaches from literally thousands of different sources.
In total, there are 1,160,253,228 unique combinations of email addresses and passwords in that database. “This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.),” he writes on his blog.
The unique addresses have totalled a whopping 772,904,991 and he has now loaded this entire database into his online website HIBP (Have I Been Pawned), so that you as a user can go and check if you were part of any of these breaches. As simple as checking the exam results on a large list, all you need to do is head to the Have I Been Pawned website, enter your email address there and hit the search button. If you were part of the breached data, you will be alerted immediately on that result page, and the result will also highlight the compromised website/service which let resulted in your data being part of the database.
When there is a breach, hackers who stole that data, usually either dump it online or sell it to bidding buyers on the dark web. What happens post that is only unimaginable. Either your email address is used as a list to spam, or your passwords could be used to dig some gold data that could either be sold for a good amount or used against you. It all depends on what you have stored up there and how it can benefit someone else. It could be anything from your family pics to your nude selfies or your banking account details to a simple copy of your electric or medical bill. Whatever the data is, it could be gold for someone out there who is looking for anything that shines.
If you find yourself listed in that list, be ensured that your name, password or any details retrieved from the leaked database, is not listed. The HIBP service is only an information that lets you know if you were part of the hacked database, and which breach. Post that, you can take action to either change your passwords from those services which were breached or simply change all of them. Not only email addresses, but you can also search the HIBP website and find out if your said password is also part of any of these databases. “This is a password search feature I built into HIBP about 18 months ago. The original intention of it was to provide a data set to people building systems so that they could refer to a list of known breached passwords in order to stop people from using them again (or at least advise them of the risk),” mentions Hunt on his blog. “Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about,” he further added.
In fact, I was surprised myself. When I checked the two websites, I found that my email address was part of at least 12 breaches and my password was available on as many as 6 torrent databases that were available for free download. Shocking as it was to me, I found out that there were some old websites and services that were not being used by me anymore. Probably I either stopped using them or forgot the websites completely, but I did not make an attempt to note them down and ensure that I de-register myself from them. Well, 28 years on and I am now still trying to eat into my brains to only find out how many email IDs I created, and probably used the same passwords and emails IDs on different other online services. Today, being in a fix, all I can do is make time and get them rectified. I don’t know how am gonna do it. Nevertheless, I will have to, simply because they will be related in someway or the other, on many more services.
What is the risk of your data being on that list?
The risk is probably huge unless you really don’t have any sensitive data online. The list is a combination of usernames (usually email addresses) and passwords, which is almost 2.7 billion in total. And each and every one of them could be used by the wrong hands for credential stuffing. “Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” says Hunt.
“People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because it’s subsequently been breached and you've been using that same password all over the place, you've got a serious problem,” he adds.
What should you do now?
First and foremost, get down to the websites you signed in and ensure you change the passwords and any other information you entered there. Ensure that the new passwords are completely unique, non-guessable. Use a password manager utility. Hunt banks on and recommends 1Password password manager, which he has also tied up with for his HIBP service. 1Password will not only safely create, manage and store your passwords for you, but it can now also look up the HIBP database and tell you any of your email IDs and passwords were previously breached and are part of that list. Additionally, you should also ensure that you use the 2-factor authentication wherever possible. This way, even if someone knows your password, he will not be able to gain access without the second layer of authentication — your phone. Kaspersky Password Manager is another password manager that you could switch to or start using.
Kaspersky Lab expert Sergey Lozhkin from Global Research and Analytics Team (GReAT) says, “This massive collection of data harvested through data-breaches had been built up over a long period of time, so some of the account details are likely to be outdated now. However, it is no secret that despite growing awareness of the danger, people stick to the same passwords and even re-use them on multiple websites. What’s more, this collection can be easily be turned into a single list of e-mails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working. The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.”
Today we are still seeing many websites forcing you to change passwords at regular intervals, but many refrain from using unique ones. Maybe as users, we are unable to think of something new and unique which we could remember easily too, but we are definitely running out of options. However, this is no excuse and its time we pull up our socks and at least defeat the hacker by using different passwords on different websites. However, website admins also need to ensure that they have their gates well-protected as hackers are always one step ahead.
Data breaches will continue. And as long as we as netizens will continue to use simple and common passwords, the database will keep increasing. We will probably see Collection #2 / #3 /#4 and so on be on air soon; but also hope never to see it too. It’s time the industry makes a bigger move towards better security standards and more importantly, make it equally easy (and definitely robust) for the user.