Coming in hot this Monday morning with a developing story regarding one of, if not the largest data breach dump of all time. Deemed “Collection #1” for its collated structure. Collection #1 was a series of data dumps from over 2,000 databases, and this data breach hits close to home. After being alerted early Saturday, January 19th, 2019, I noticed an odd email forward from a website I’d never seen or heard of, alerted me that an older personal email and password was compromised. Taking this notice, we’ve used our experts to dig deeper into the Collection #1 data breach.
By starting with the raw-data first, Collection #1 is a set of email addresses and passwords that have totaled 2,692,818,238 rows, of spreadsheets, with decrypted passwords. Made up of several smaller breaches organizations, forums, social platforms make up the varying sources. In total, the data creates 1,160,253,228 unique combinations for emails and passwords. (emails are NOT case sensitive) It should be noted, 772,904,991 unique emails and 21,222,975 other personal data records were released on the dark web on Friday, January 18th, 2019.
Origins of this Data
To further heighten the stakes, with the original documentation pictured above, we can see hackers are neatly formatting their data-dumps, and this shows the delimited text formats (commas, semicolons, syntax) further proving the original origin of this data. Posted late last week on the popular dark web service MEGA, over 12,000 separate files were collected, totaling 87GB of data that has since been removed from the dark web site. Referencing the image below, the expanded view shows the file listing and the many alleged sources. (it’s very difficult to discover the source of data breach information)
What I can say, is I checked, and verified my own personal data, though it was inaccurate, it was credentials, that I personally used several years ago. Like many of you reading this, I’ve bared witness to my data being in these breaches and although it’s always outdated credentials it still provides me with a sense of dismay, though I know it’s not personal.
How “Hashed Passwords” are Used in Hacking
As I’ve mentioned, there was a mix of “hashed” and “de-hashed” passwords that were cracked, and output to plain-text. These massive files are used with automation tools to resplendently attempt numerous credentials. For an example, if you head over to HIBP, and you enter the word “P@assw0rd” it will return the password as being cracked or broken 51,000 times, so this is obviously ill-advised though it meets common password standards, like upper case, lower case, number, and 8 characters long.
So, What’s at risk here?
In short, if you’re involved in this data breach, many of your passwords could already be compromised, in this case, used for credential stuffing. Credential stuffing is the process of automated injection of breaches usernames, emails and password pairs to gain fraudulent access to your accounts, once reporting with access, they leverage this same list across banking, emails, and website servers.
The cold reality of this situation is 140 million emails were taken with 21 million in passwords not already disclosed or discovered. My hope is that many will be prompted to broaden their security posture and look past the basic steps in password difficulty. There is something big to take away from all these breaches occurring. Two-step verification could prevent access to many business’ vital applications that are now being moved to the cloud or online.