Troy Hunt, a prolific cybersecurity researcher has probably assembled one of the largest data leak collection in the world at the time of this writing. A collection of aggregate massive leaks containing 773 million email addresses and around 21 million passwords. Dubbed ‘Collection #1’, when laid out in a spreadsheet, it will occupy 2,692,818,238 rows.
“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources,” explained by Hunt.
Anonymous sources gave him a lead to track down a huge stash of files, measuring 87 GB from MEGA (a mainstream cloud storage service). The 87GB data stash is contained in the 12,000 files.
“However, what I can say is that my own personal data is there and it’s accurate; right email address and a password I used many years ago,” revealed Hunt.
With the information at hand, Hunt voluntarily created a website haveibeenpwned.com, in order for people to search their email address and see if their email accounts one way or another was part of the data leak contained in the collection. Newly created email accounts are more likely to produce ‘Good news – no pwnage found!’which indicates that cybercriminals involved in the data leaks didn’t get a hold of the user’s email address. A message ‘Oh no – pwned!’ indicate that the email account of the user somehow was part of the hacked data now at the hands of cybercriminals.
One of the biggest data leaks in an email system was Yahoo, that happened in 2013 covering 3 billion Yahoomail accounts. Most of the ‘Oh no – pwned!” result came from old Yahoo emails predating the year 2013. This was very damaging to Yahoo as their user base dwindled in favor of their more popular rival, Gmail due to the incident.
It is easy to just abandon a personal email account if it tends to be included in the Pwned Password list provided by Mr. Hunt. The only silver lining is for users to ensure that their passwords will be kept secure from this point going forward. Surely if someone asked us how many passwords we have or how many services we put some type of verification with username and password that number would surely exceed 15 per individual. We also manage our own social network accounts in which we have a username and password to access them.
A typical user will probably repeat an already used password across multiple accounts, or with easy variations to be able to remember them, but this is a big security failure. For the fact that if someone with bad intentions knew our password could do a lot of damage in the services in which we are registered. The solution is very simple and will not leave you indifferent: password managers, Programs capable of remembering passwords and users that we have previously added and thus help us remember them, which also allow creating more secure passwords, no matter how difficult they may be.