Remember how optimistic we all were that 2019 would be a better year than 2018? Well, so much for that idea. We’re barely three weeks into the new year and it looks like we’ve already been subjected to one of the biggest data leaks on record. Security researcher Troy Hunt reports that he was alerted to massive collection of suspicious files on the file hosting site MEGA. There were apparently about 12,000 different files, which Hunt says have since been removed from the site but are still being circulated on an unnamed hacker forum. What was found in that massive cache of 87GB files? According to the researcher, it contained no less than 2.7 billion records. Once Hunt ran it through some filters and cleaned everything up, he found a whopping 773 million unique email accounts and more than 21 million different passwords.
Hunt is calling this massive email leak “Collection #1,” and its origins are unclear for the time being. Considering the name Collection #1 that the data was given, it’s possible that the email accounts have been collected from a number of different hacks. What is clear is that hundreds of millions of people are potentially exposed, so we’re going to show you exactly how to find out if you are among them.
Before we get to damage control, there is some good news. According to Hunt’s findings, at least a portion of the emails and passwords that were stolen are quite old and out of date. How would he know that? Hunt found his own email address and passwords among the hacked data, but he said the password tied to his account is one that he hadn’t used for several years. If you change your password periodically — which you absolutely should be doing — you might be safe.
“What I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” the security researcher wrote in a blog post covering the leak. “Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They’re also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I’ve personally seen and verified), but per the quoted sentence above, the data contains “dehashed” passwords which have been cracked and converted back to plain text. (There’s an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless.) In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
So, how do you find out if your email may have been exposed? It’s actually quite simple. Hunt shared his entire cleaned up database with a well-known site called “Have I Been Pwned?”. As the name suggests, the site tracks hacks, leaks, and any other type of breach, allowing users to quickly determine if they might have been exposed.
Just head to the Have I Been Pwned? website and enter your email address in the search box. If your account was exposed in this or any other breach, the site will let you know. If it says you have been exposed, you should change the password for your email account immediately. You should also enable two-factor authentication whenever possible. If you want to take your check-up one step further, you can also search by password to see if your password is among the ones stolen in this breach.