Reports earlier this week revealed what’s being referred to “Collection #1,” an 87GB pile of data that included no less than 773 million unique email accounts and more than 21 million different passwords. In total, the database contained some 2.7 billion records, and we already told you how to check whether it contains your email account(s). It turns out that Collection #1 might be part of series of similar data collected from other online breaches, as someone out there has been hoarding all this data, and it’s making it accessible to nefarious actors for just $45.
After security researcher Troy Hunt posted details about Collection #1, a different security researcher you may already know revealed more information on the matter.
Brian Krebs explains that the hacker who’s selling access to the data talked to him over Telegram, sharing proof that reveals the entire database of hacked email addresses and passwords amounts to almost 1TB, which is more than ten times more data than the initial hack.
The sale of some 773M email addresses and 21M unique passwords on a hacking forum has been dubbed the biggest ever. People are freaking out. But according to the guy selling this, it's neither new nor the biggest. It's about 2-3 years old https://t.co/TQxoSwpfSu pic.twitter.com/kpePzoOIqb
— briankrebs (@briankrebs) January 17, 2019
Krebs said that Collection #1 is not new, it’s about two to three years old. The biggest “Collection” file is actually Collection #2, which amounts to 526GB of data. As one of the screenshots shows, the price for lifetime access is at just $45.
What’s worse is that the hacker has access to some 4TB of password packages, which are less than one year old.
Yes, these revelations are scary, but you shouldn’t necessarily panic. If you’ve been doing passwords right, then it means that each online account that you may own has a unique, hard-to-crack password and that you’re managing everything with a password manager like 1Password. Add to some password changes over the years, especially once some of the online services you use were hacked, and you should be good. Even if hackers do have your email accounts on record, and even if they have the password for one of your many online accounts, they won’t be able to use it to hack sensitive properties like your online banking accounts, and anything that might help them steal personal details about you.
Of course, not everybody out cares that much about passwords, that’s why people keep using dumb ones, the kind that can be easily guessed. What’s worse is that some people use the same password over and over, which is why these databases are an excellent resource for those people looking to steal the identity of others. One password may be enough to crack into a user’s various accounts. And an email account may be more valuable than you think, holding the keys to many online services, as seen in the illustration above.
If you’ve been using bad passwords, then there’s time to fix everything. Start by checking, if your data was compromised, and then start changing your passwords. All. Of. Them.
Read more about Krebs’ findings over at KrebsOnSecurity.