In January, security researcher Troy Hunt announced the addition of the ‘Collection #1’ set of compromised login credentials to his Have I Been Pwned (HIBP) service. HIBP allows users to search for their own email addresses and passwords in order to identify whether they have appeared in any major data breaches. This was followed shortly afterwards by coverage of ‘Collections #2–5’. Here we’ll explain why these collections are a big deal, and the steps you can take to protect yourself.
The size of Collection #1 impressed researchers, with the collection contained just under 772m unique email addresses. For comparison, the 2015 Panama Papers leak of confidential financial documents totalled 11.5m, the 2018 Facebook–Cambridge Analytica scandal involved 87m profiles and the 2017 Equifax data breach—believed to be the single largest breach in history—resulted in the compromise of 148m records.
Obviously, a breach of this size would be truly disastrous if composed of newly-acquired credentials. However, subsequent analysis of Collection #1 found that the records were collated from potentially thousands of prior breaches. However, as Michael Kan writes in PC Magazine, ‘the data dump is notable, however, because it was packaged up and published on a hacking forum for easy access. Now anyone, particularly amateur hackers, can peruse a vast library of email addresses and stolen passwords.’
If Collection #1 was massive, Collections #2–5 are truly staggering. Compared to the 87 GB Collection #1, Collections #2–5 total over 600 GB, or over 2.2 billion unique email address records. Again, it appears that some or all of the records in this gargantuan collection are from historic breaches, and some may not even be genuine. However, as Kan suggested, the danger here comes from the fact that cyber criminals now have a convenient collection of records totalling almost a quarter of the Earth’s population to use in credential stuffing attacks.
Credential stuffing relies on users making one of two simple mistakes: either re-using their passwords for other accounts, or not changing their passwords after a breach. Attackers simply try as many pairs of credentials as they can on as many different services as they can until they hit it lucky. This process is simple and easily automated, meaning that at any time there may be thousands of automated credential-stuffing bots roaming the Internet. If a password of yours appears anywhere in a collection like these, you should consider it burned for good.
So, how can you protect yourself against these sorts of attacks? Where possible, use alternate (and multiple) means of authentication—do not rely solely on passwords. Where this is not possible, following basic password security measures will serve admirably. Firstly, ensure that you do not reuse passwords across multiple services and accounts. A password manager can be indispensable in keeping track of all these. Secondly, if you discover that your email address or previous password have been detected in a breach (and you can sign up to receive HIBP email updates for this), change it immediately.