{"id":4165,"date":"2019-01-17T13:52:06","date_gmt":"2019-01-17T17:52:06","guid":{"rendered":"https:\/\/solutionsreview.com\/identity-management\/?p=4165"},"modified":"2019-01-31T15:08:12","modified_gmt":"2019-01-31T19:08:12","slug":"experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/","title":{"rendered":"Experts Comment: 21 Million Passwords, 773 Million Emails Breached via &#8220;Collection #1&#8221;"},"content":{"rendered":"<p style=\"text-align: justify\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2359\" src=\"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg\" alt=\"Experts Comment: 21 Million Passwords, 773 Million Emails Breached via &quot;Collection #1&quot;\" width=\"800\" height=\"400\" srcset=\"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg 800w, https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod-300x150.jpg 300w, https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod-768x384.jpg 768w, https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod-540x270.jpg 540w, https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod-162x81.jpg 162w, https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod-360x180.jpg 360w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">2019 only just began. Already we\u2019ve suffered a <a href=\"https:\/\/solutionsreview.com\/identity-management\/experts-weigh-in-the-oklahoma-securities-commission-breach\/\" target=\"_blank\" rel=\"noopener\">breach<\/a> invariably destined to compete for the title of Worst of the Year. <\/span><\/p>\n<p style=\"text-align: justify\"><div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a class=\"iam-inject\" href=\"https:\/\/solutionsreview.com\/identity-management\/identity-and-access-management-vendor-map-of-the-best-solutions\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" title=\"IAM VendorMap\" src=\"https:\/\/solutionsreview.com\/identity-management\/files\/2020\/02\/IM_VM_SB_800.jpg\" alt=\"Download Link to IAM Vendor Map\" width=\"800\" height=\"100\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Security researcher Troy Hunt, who maintains email and <a href=\"https:\/\/solutionsreview.com\/identity-management\/splashdata-releases-top-100-worst-passwords-2018\/\" target=\"_blank\" rel=\"noopener\">password compromise<\/a> search engine <\/span><a href=\"https:\/\/haveibeenpwned.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Have I Been Pwned<\/span><\/a><span style=\"font-weight: 400\">, discovered and alerted the public about the breach; he found nearly 773 million unique email addresses and 21 million unique passwords posted to a \u201cpopular hacking forum\u201d in a folder entitled \u201cCollection #1.\u201d <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">The full Collection #1 folder contained over 12,000 files and 87 gigabytes of data. Mr. Hunt cleaned the folder\u2019s data set, which contained over 2.7 billion rows of email addresses and passwords, to provide a clearer view of the breach\u2019s true scale. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">On a <\/span><a href=\"https:\/\/www.troyhunt.com\/the-773-million-record-collection-1-data-reach\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">post<\/span><\/a><span style=\"font-weight: 400\"> detailing his research into the Collection #1 breach, Mr. Hunt speculates the data may have originated for multiple sources; in fact, it could represent an aggregation of cracked, de-hashed passwords from thousands of databases. However, Mr. Hunt notes verifying data breaches involves extensive processes. Until further evidence is discovered, he stresses, his opinions about the origins of Collection #1 should be treated as \u201calleged.\u201d \u00a0<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Those responsible for Collection #1 have not yet been identified. Its existence would serve as an excellent tool for hackers interested in infiltrating enterprise networks. It also benefits threat actors initiating credential stuffing attacks. <\/span><\/p>\n<h3 style=\"text-align: justify\"><b>What Should Your Enterprise Do About Collection #1? <\/b><span style=\"font-weight: 400\">\u00a0\u00a0\u00a0\u00a0<\/span><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Collection #1 has been removed from the sites hosting it. However, the damage has already been done. Will LaSala, Director of Security Solutions and Security Evangelist at <\/span><a href=\"https:\/\/www.onespan.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">OneSpan<\/span><\/a><span style=\"font-weight: 400\">, shared his thoughts on what you enterprise can do now.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">\u201cThis is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential stuffing attacks to cause maximum damage across multiple other accounts. And with criminals trading assets in underground forums, data from this breach could easily be cross-referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.\u201d<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">\u201cIf this doesn\u2019t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance. Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that\u2019s fingerprints, behavioral biometrics or one-time passwords.\u201d <\/span><\/p>\n<h3 style=\"text-align: justify\"><b>More Experts Offer Their Perspectives<\/b><\/h3>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">Bimal Gandhi, Chief Executive Officer at <\/span><a href=\"https:\/\/www.uniken.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Uniken<\/span><\/a><span style=\"font-weight: 400\">, also shared his thoughts. <\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">\u201cAlbert Einstein said: \u2018The definition of insanity is doing the same thing over and over again, but expecting different results,\u2019 and the continued reliance on outdated security methods such as using PII in authentication certainly fits that definition, given the proliferation of stolen and leaked PII now available on the Dark Web. These 700+million email addresses and millions of passwords \u2013 many un-hashed \u2013 will inevitably be used in credential stuffing attacks that greatly harm both consumers and the financial\/merchant\/payments ecosystem for years to come.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">&#8220;This is exactly why, to thwart credential stuffing, more and more banks and major organizations are embracing advanced authentication methods that don\u2019t burden the user with creating, remembering or receiving and manually entering a verification factor. The move away from depending upon PII-based authentication eliminates the ability of bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network and the financial assets they seek to plunder.&#8221;<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-weight: 400\">&#8220;Invisible multifactor authentication using cryptographic key based authentication combined with device, environmental and behavioral technologies is one such approach.&#8221;<\/span><\/p>\n<h3 style=\"text-align: justify\"><strong>Password Best Practices in the Wake of Collection #1<\/strong><\/h3>\n<p style=\"text-align: justify\">Sandor Palfy, CTO of <a href=\"https:\/\/www.lastpass.com\/business-password-manager\" target=\"_blank\" rel=\"noopener\">LastPass<\/a>, provided some insights into creating stronger passwords in the wake of the breach:<\/p>\n<p style=\"text-align: justify\">\u201cThis Collection #1 data dump is yet another example indicating the importance of practicing good password behavior. Despite the fact that weak, reused and compromised passwords are the cause behind many breaches, people continue to display pretty risky password behavior. In fact, in our in our recent <a href=\"https:\/\/blog.lastpass.com\/2018\/05\/psychology-of-passwords-neglect-is-helping-hackers-win.html\/\" target=\"_blank\" rel=\"noopener\">Psychology of Passwords<\/a> survey, we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.&#8221;<\/p>\n<p style=\"text-align: justify\">&#8220;In most breaches, the attacker usually just gets the hashes of the passwords and they need to crack or brute force to get the actual passwords. The longer and more complex the password is, the harder it becomes to crack, or brute-force attack which simply means it takes longer for a computer to correctly guess it.&#8221;<\/p>\n<p style=\"text-align: justify\">&#8220;It\u2019s crucial that people create a unique, strong password that hasn\u2019t been used on other online accounts, for every online account they have. If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, more important accounts, likely even before you learn about the breach. Even if a password is brute-forced, the damage is less if it&#8217;s unique, as then it will impact only that account. It\u2019s also worth turning on two-factor authentication where possible as this adds an additional layer of protection that will ensure an attacker won\u2019t be able to access an account even if they do obtain the password.&#8221;<\/p>\n<p style=\"text-align: justify\"><br \/>Widget not in any sidebars<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>2019 only just began. Already we\u2019ve suffered a breach invariably destined to compete for the title of Worst of the Year. Security researcher Troy Hunt, who maintains email and password compromise search engine Have I Been Pwned, discovered and alerted the public about the breach; he found nearly 773 million unique email addresses and 21 [&hellip;]<\/p>\n","protected":false},"author":41,"featured_media":2359,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[5],"tags":[142,125,988,16,112,76,70,104,30,908,124,91,123,90,25,989,754],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Experts Comment: 21M Passwords, 773M Emails Leaked via Collection #1<\/title>\n<meta name=\"description\" content=\"Troy Hunter discovered 21 Million Passwords and 773 Million Emails were exposed in a folder called &quot;Collection #1.&quot; What can your enterprise do?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ben Canner\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/\",\"name\":\"Experts Comment: 21M Passwords, 773M Emails Leaked via Collection #1\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg\",\"datePublished\":\"2019-01-17T17:52:06+00:00\",\"dateModified\":\"2019-01-31T19:08:12+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\"},\"description\":\"Troy Hunter discovered 21 Million Passwords and 773 Million Emails were exposed in a folder called \\\"Collection #1.\\\" What can your enterprise do?\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg\",\"width\":800,\"height\":400,\"caption\":\"Experts Comment on National Change Your Password Day\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/identity-management\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Experts Comment: 21 Million Passwords, 773 Million Emails Breached via &#8220;Collection #1&#8221;\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#website\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/\",\"name\":\"Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, &amp; Services\",\"description\":\"Identity Access Management (IAM) News, Best Practices and Buyer&#039;s Guide\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/identity-management\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541\",\"name\":\"Ben Canner\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g\",\"caption\":\"Ben Canner\"},\"description\":\"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.\",\"url\":\"https:\/\/solutionsreview.com\/identity-management\/author\/bcanner\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Experts Comment: 21M Passwords, 773M Emails Leaked via Collection #1","description":"Troy Hunter discovered 21 Million Passwords and 773 Million Emails were exposed in a folder called \"Collection #1.\" What can your enterprise do?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/","twitter_misc":{"Written by":"Ben Canner","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/","url":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/","name":"Experts Comment: 21M Passwords, 773M Emails Leaked via Collection #1","isPartOf":{"@id":"https:\/\/solutionsreview.com\/identity-management\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg","datePublished":"2019-01-17T17:52:06+00:00","dateModified":"2019-01-31T19:08:12+00:00","author":{"@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541"},"description":"Troy Hunter discovered 21 Million Passwords and 773 Million Emails were exposed in a folder called \"Collection #1.\" What can your enterprise do?","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#primaryimage","url":"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg","contentUrl":"https:\/\/solutionsreview.com\/identity-management\/files\/2018\/02\/password-2-mod.jpg","width":800,"height":400,"caption":"Experts Comment on National Change Your Password Day"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/identity-management\/experts-comment-21-million-passwords-773-million-emails-breached-via-collection-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/identity-management\/"},{"@type":"ListItem","position":2,"name":"Experts Comment: 21 Million Passwords, 773 Million Emails Breached via &#8220;Collection #1&#8221;"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/identity-management\/#website","url":"https:\/\/solutionsreview.com\/identity-management\/","name":"Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, &amp; Services","description":"Identity Access Management (IAM) News, Best Practices and Buyer&#039;s Guide","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/identity-management\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/357f925262827fcf840b4341920a1541","name":"Ben Canner","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/identity-management\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/63f68345052a446ce0cc9c802dd3f373?s=96&d=mm&r=g","caption":"Ben Canner"},"description":"Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.","url":"https:\/\/solutionsreview.com\/identity-management\/author\/bcanner\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts\/4165"}],"collection":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/comments?post=4165"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/posts\/4165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/media\/2359"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/media?parent=4165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/categories?post=4165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/identity-management\/wp-json\/wp\/v2\/tags?post=4165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}