We have waved goodbye to 2018, and the new year has begun : With a massive data theft. The record Collection #1 contains millions of passwords and email addresses that have now been leaked. And that’s just the tip of the iceberg.
We will advise you what Collection #1 is all about and how you can check if you are affected by the new data theft.
What is the data record Collection # 1?
We have previously reported about the website Have I been pwned. On this website you can easily and quickly check at any time whether your email address has been hacked. Troy Hunt is responsible for the website and he reports on his blog about one of the biggest data thefts of all time. Hunt recently found a record containing over 772,000,000 unique e-mail addresses and over 21,000,000 unique passwords. Collection # 1.
The record consists not only of a single data theft, but also of various data thefts, some of which even date back years. In concrete terms, Hunt explains that the data probably originates from various hacker attacks. This is where hackers were even able to decrypt encrypted password databases. These are now available in plain text so that attackers can exploit them relatively easily. In total, the Collection #1 record contains over 140 million email addresses that were not affected by a data theft until now.
Why is this data theft so dangerous for those affected?
Collection #1 not only contains millions of email addresses and passwords in plain text. In his blog Hunt describes that the hackers have structured the data set in such a way that the data can be used for Credential stuffing.
As if it wasn’t bad enough for hackers to crack the password of a single online account, credential stuffing attempts to take over multiple online accounts at once. To do this, they use lists such as the data record Collection #1, which contains vast amounts of email/password combinations.
Collection # 1 is just the tip of the data theft iceberg
Since many users for social media platforms and other online accounts often use the same combination of email address and password, a credential stuffing attack is usually very successful. This is exactly what makes the new data theft so dangerous for those affected.
In the worst case, not only the account contained in Collection #1 is at risk. Any other online account where you use the same email address or password is also a potential target for hackers. That’s why this data theft is just the tip of a huge iceberg where it’s far from clear how deep it really goes.
Record Collection # 1 – are my passwords safe?
Given the enormity of the new data clauses, many are justifiably wondering whether their email addresses are affected and their passwords are now insecure. Tony Hunt has already added the data from Collection #1 to his database of Have I been Pwned? So you can see in seconds if you are affected by the data theft.
Simply enter your email address into the search form on the website. If your email address is affected by a data theft, you will receive an overview of the websites on which hackers have stolen your data. You can also use the Pwned password search to check whether one of your passwords has been published in a data leak. But be careful: you should never check a password you are currently using.
Data theft – and now?
If your email address or password is included in the Collection #1 record, there are a number of steps you can take to secure your online accounts. Of course, it is very important to change your password. This is for all web services where you use the e-mail address in question to log in. A password manager will make your work easier. Good password managers usually also offer a password generator with which you can create secure passwords. You can read more about this in our guide Managing passwords .
Use two-factor authentication
As a general rule, use a strong password for each online account. What it takes to create a secure password is explained in the Password Security Guide. It also makes sense to use two-factor authentication. Many online services, especially e-mail and social media services, already offer two-factor authentication. Entering a security code makes it easier to prevent unauthorized access to your online accounts.
If you need help setting up two-factor authentication or a password manager, your local TrustATec partner will be happy to help. TrustATec will also advise you on the choice and installation of a suitable antivirus program.