Yesterday a huge dataset with numerous mail addresses and passwords appeared on the Internet. He was discovered by the security expert Troy Hunt, who runs the website “Have I Been Pwned”. According to Troy Hunt, the record contains a total of 2.6 billion lines with combinations of mail addresses and passwords.
With a total of more than 772 million mail addresses and 20 million passwords, this is the largest record of stolen information ever to appear on the Internet. Hunt called the record “Collection #1” for this reason.
Apparently, the data found in hacker forums is derived from various attacks. IT security expert Hunt assumes that the data is genuine. So he himself has been affected – his mail addresses with older passwords appear in the list.
The entire data set has now been added to the “Have I Been Pwned” page so that you can check whether your own data has also been stolen and disseminated. Registered users of the service whose data are affected have already been informed by e-mail. It is now a good idea to check whether your own mail addresses are also affected.
The data could be used primarily for a practice known as credential stuffing. In such attacks, attackers do not attempt to take over individual accounts, but to crack as many as possible at once. To do this, they run all possible unique combinations resulting from the record through an algorithm – matches a combination of mail address and password, the attackers gain access to the account. Such practices are often successful as many users use their combination of mail address and password for different services. Thus numerous accounts could be taken over with most different Web services.
Hunt recommends using a password manager and creating a separate password for each service. In addition, passwords should be changed regularly.