Troy Hunt, the site admin of Have I Been Pwned just released some disconcerting news. A new data breach of humongous proportions has just been made public, we are talking astronomical numbers. He has called this data set "Collection#1" and is by far the largest he has ever found. This thing is kind of a "breach of breeches and contains about 2,000 leaked databases. This monster consists of :
- email addresses and passwords totalling 2,692,818,238 rows
- 1,160,253,228 unique combinations of email addresses and passwords
- unique email addresses totalled 772,904,991
- there are 21,222,975 unique passwords
He said: "There’s no obvious patterns, just maximum exposure. That's the numbers, let's move onto where the data has actually come from. Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image":
Troy has loaded all this information in the Have I Been Pwned and there is lots more detail about this new breach over at Troy's Blog. The database seems to have been put together for credential-stuffing attacks, in which hackers rapidly test email and password combinations at a given site or service. This is typically a fully automated process which preys especially on people who reuse passwords across multiple sites on the internet.
How Serious Is This?
WIRED called it: "Pretty darn serious! While it doesn't appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving:
- Around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.
- Then there’s the way in which those passwords are saved in Collection #1, these are all plain text passwords.
- And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites—until it got taken down—and then on a public hacking site. They weren’t even for sale; they were just available for anyone to take."
Find out if any of your users are exposed in this brand-new humongous data breach.
KnowBe4’s Password Exposure Test (PET) is a brand-new and complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users. PET is integrated with the HIBP site and will check for all the compromised data above.
PET makes it easy for you to identify users with exposed emails publicly available on the web, and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!
With Password Exposure Test you can:
- Search and identify any of your users with exposed emails, account information, or passwords available on the web
- Quickly isolate password security vulnerabilities and easily identify high risk passwords being reused within your organization
- Generate a detailed report on user accounts affected. You can download the summary report as a PDF or Excel file directly within the tool
Password Exposure Test can help you identify which users may be putting your organization at risk before the bad guys do. Get your results in a few minutes! You are probably not going to like what you see.
Don't like to click on redirected buttons? Copy & paste this link into your browser: