No, you didn’t read that wrong. Technically, the leak contained 2,200,000,000 unique usernames and passwords. The actual total record count is much higher at around 25 billion. We’ll explain why those numbers are different and why that matters later. So what happened?
In the last few years, many companies have suffered data breaches. The biggest leaks included Yahoo, Dropbox, and LinkedIn. Hackers sometimes use that stolen information for their own purposes. Sometimes they sell it on the dark web. Occasionally, a new idea results in something we haven’t seen before.
Someone Started A Password Collection
It appears that an anonymous hacker decided to help out the hacking community at large. Wouldn’t it be easier to access leaked user information if someone compiled all those stolen usernames and passwords? Basically, it could be a library or collection of credentials. In this case, it began with the release of a simple folder called “Collection #1” earlier in January.
Collection #1 was initially found in a few cloud sharing services. This folder contained over 12,000 files. The files totaled over 87 GB of data. Collection #1 included a mere 773 million unique email addresses and 21 million unique passwords. These records were organized by topic. You could search for login information for everything from financial sites to mail accounts.
In all likelihood, you’ll probably find a username and password combination you’ve used in Collection #1. We tested a few of our personal accounts and found our own information. The credentials were old, but it was valid information at one time.
The Collection Grew
Then they released Collections #2-5. Researchers have been analyzing these new collections over the last few days. With a whopping 845 GB of data, this is where you’ll find those 25 billion records. Collections #2-5 contain nearly three times the data in Collection #1. After removing duplicate information, 2.2 billion unique records remain.
“This is the biggest collection of breaches we’ve ever seen. It’s an unprecedented amount of information and credentials that will eventually get out into the public domain.”
-Chris Rouland from Phosphorous.io
To make matters worse, these Collections are spreading rapidly. In a matter of days, 130 people are sharing this data, and it’s already been downloaded over 1,000 times.
Mostly Bad News
There is good news. Some of these credentials come from old leaks. The Hasso-Plattner-Institute keeps a database of previously-leaked usernames and passwords. Much of the data in Collections #1-5 already exists in their database.
However, 750 million records were new. No one knows where this new data came from. It’s possible that it came from many smaller sources. There’s just no way to know at the moment. That’s part 1 of the bad news.
Part 2 of the bad news shows itself in the disparity between total records and unique records. Why are there only 2.2 billion unique records within 25 billion total records? Simply put, everyone reuses the same set of 3-4 passwords.
That brings us to part 3 of the bad news. These collections allow any hacker to simply start trying these credentials on various websites. Since everyone’s reusing those same 3-4 passwords, the likelihood of finding a valid set of credentials increases dramatically.
What Should You Do?
Look For Your Data
First, you can use a couple of tools to see how this leak affects you. HPI’s Identity Leak Checker and Have I Been Pwned allow you to enter your email address and see which breaches contain your information. Collections #2-5 are still being added to Have I Been Pwned at the time of this writing.
Get a Password Manager
We’ve mentioned password managers like LastPass and 1Password before. It takes a little time to set these up, but you’ll be glad you did. With the ability to integrate into your browsers and mobile devices, you only have to remember one password. The password manager does the rest. Free options are available, but the paid versions really add to the functionality.
Change Your Passwords
If you haven’t changed your passwords recently, go change them now. Don’t forget to make them different from each other. We wrote up a password guide last year. Also, your password manager can generate passwords for you, so take advantage of that. The time spent doing this could protect your account from being compromised.
The same recommendations apply to organizations. We know that implementing procedures and educating staff about passwords and IT security can be challenging. Pit Crew IT Services is here to help. If you’d like assistance with this or any other IT issue, we’re happy to assist you. Simply give us a call or request a free consultation below. Current clients can visit our Support page.