More than 772 million emails and 21 million unique passwords have been exposed in a forum for hackers in one of the largest leaks in history, as reported in its personal blog the expert in cybersecurity Troy HuntAll the data is compiled in a huge 87GB file hosted in the MEGA cloud storage service. The security breach has been named by Hunt as Collection # 1 – the name of the folder in which it found all the information.
At the moment, the origin and the author of the leak is unknown. Although the files have already been removed from MEGA, it is possible that several people have copies of this database and even share it again on the web. After analyzing all the information, the expert in cybersecurity has verified that some emails and passwords had been previously exposed. Even so, more than 140 million emails and 10 million passwords correspond to new leaks. "It just seems like a completely random collection of sites to maximize the amount of credentials available to hackers," Hunt told the WIRED technology magazine.
The danger that someone has access to an email is that you can access all the details of the emails and even impersonate the identity. In addition, if the same user and password are used in other Internet platforms, hackers may access different services such as social networks or bank accounts. "People make lists like this [Colección #1] with our email and passwords and then try to see where else they work. The success of this tactic is based on people reusing the same credentials in multiple services, "Hunt explains in his blog. This expert in cybersecurity is responsible for Have I Been Pwned, a website that lets you know if an email or password has been compromised.
It is not the first time that a leak of this type takes place. But in this case it highlights the magnitude of affected users. This is one of the largest data leaks of users in history, behind the hack admitted by Yahoo in 2017. The company acknowledged that the massive theft of data suffered in 2013 affected the 3,000 million accounts that were active at that moment.
How to know if you are affected
Although the file has already been removed from the blog, Hunt points out that there is "a serious problem" if someone already has the credentials in his possession and recommends checking it. To do this, just access the web Have I Been Pwned and enter the email address. This platform not only indicates if you are one of those affected by Collection # 1, but if the email is part of a security breach detected by Hunt in recent years.
However, Have I Been Pwned does not allow the user to check which password is associated with that email. Although many users request Hunt this information, he refuses to provide it because he considers that the email is not "a secure communication channel" to send credentials.
However, it also offers the possibility to search if a specific password has been affected through Pwned Passwords, a database that collects more than 551 million credentials exposed in some filtration. For example, when entering the password "123456", one of the most common among users but that should be avoided at all costs, the system indicates that "it has been seen 23,174,662 times before". "This password has previously appeared in a data breach and should never be used. If you have ever used it somewhere, change it! "Alerts the web.
It is recommended that all those affected change the password of their accounts as soon as possible and activate the verification in two steps whenever possible. In the event that you reuse the password in different services, a good option would be to use a manager credentials These programs are responsible for generating random passwords and remember them for us.
"The only safe password is the one I can not remember," says Hunt on the blog. Although he argues that password managers are the best option to ensure the security of accounts on the Internet, he is aware that there are people who probably prefer to keep their keys the old-fashioned way: "If using a digital password manager is a Step too big, go to the old school and get an analog one. That is, a notebook. Writing down the unique passwords in a book and keeping them inside a closed house is much better than reusing them all over the web. "