Experts Comment: 21 Million Passwords, 773 Million Emails Breached via “Collection #1”

Experts Comment: 21 Million Passwords, 773 Million Emails Breached via "Collection #1"

2019 only just began. Already we’ve suffered a breach invariably destined to compete for the title of Worst of the Year.

Security researcher Troy Hunt, who maintains email and password compromise search engine Have I Been Pwned, discovered and alerted the public about the breach; he found nearly 773 million unique email addresses and 21 million unique passwords posted to a “popular hacking forum” in a folder entitled “Collection #1.”

The full Collection #1 folder contained over 12,000 files and 87 gigabytes of data. Mr. Hunt cleaned the folder’s data set, which contained over 2.7 billion rows of email addresses and passwords, to provide a clearer view of the breach’s true scale.

On a post detailing his research into the Collection #1 breach, Mr. Hunt speculates the data may have originated for multiple sources; in fact, it could represent an aggregation of cracked, de-hashed passwords from thousands of databases. However, Mr. Hunt notes verifying data breaches involves extensive processes. Until further evidence is discovered, he stresses, his opinions about the origins of Collection #1 should be treated as “alleged.”  

Those responsible for Collection #1 have not yet been identified. Its existence would serve as an excellent tool for hackers interested in infiltrating enterprise networks. It also benefits threat actors initiating credential stuffing attacks.

What Should Your Enterprise Do About Collection #1?     

Collection #1 has been removed from the sites hosting it. However, the damage has already been done. Will LaSala, Director of Security Solutions and Security Evangelist at OneSpan, shared his thoughts on what you enterprise can do now.

“This is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential stuffing attacks to cause maximum damage across multiple other accounts. And with criminals trading assets in underground forums, data from this breach could easily be cross-referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.”

“If this doesn’t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance. Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that’s fingerprints, behavioral biometrics or one-time passwords.”

More Experts Offer Their Perspectives

Bimal Gandhi, Chief Executive Officer at Uniken, also shared his thoughts.

“Albert Einstein said: ‘The definition of insanity is doing the same thing over and over again, but expecting different results,’ and the continued reliance on outdated security methods such as using PII in authentication certainly fits that definition, given the proliferation of stolen and leaked PII now available on the Dark Web. These 700+million email addresses and millions of passwords – many un-hashed – will inevitably be used in credential stuffing attacks that greatly harm both consumers and the financial/merchant/payments ecosystem for years to come.

“This is exactly why, to thwart credential stuffing, more and more banks and major organizations are embracing advanced authentication methods that don’t burden the user with creating, remembering or receiving and manually entering a verification factor. The move away from depending upon PII-based authentication eliminates the ability of bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network and the financial assets they seek to plunder.”

“Invisible multifactor authentication using cryptographic key based authentication combined with device, environmental and behavioral technologies is one such approach.”

Password Best Practices in the Wake of Collection #1

Sandor Palfy, CTO of LastPass, provided some insights into creating stronger passwords in the wake of the breach:

“This Collection #1 data dump is yet another example indicating the importance of practicing good password behavior. Despite the fact that weak, reused and compromised passwords are the cause behind many breaches, people continue to display pretty risky password behavior. In fact, in our in our recent Psychology of Passwords survey, we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.”

“In most breaches, the attacker usually just gets the hashes of the passwords and they need to crack or brute force to get the actual passwords. The longer and more complex the password is, the harder it becomes to crack, or brute-force attack which simply means it takes longer for a computer to correctly guess it.”

“It’s crucial that people create a unique, strong password that hasn’t been used on other online accounts, for every online account they have. If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, more important accounts, likely even before you learn about the breach. Even if a password is brute-forced, the damage is less if it’s unique, as then it will impact only that account. It’s also worth turning on two-factor authentication where possible as this adds an additional layer of protection that will ensure an attacker won’t be able to access an account even if they do obtain the password.”

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner