2.2 billion email addresses and passwords leaked - are you affected?
Usually, large (and illegal) email and password collections are an expensive commodity. Hackers, intelligence agencies and spammers tend to pay good money for extensive and detailed data sets on the dark web to support their activities. Recently, "Collection #1" was circulated and caught the eye of IT security expert Troy Hunt. It contained 773 million email addresses and 21 million passwords in clear text, much to the alarm of many users. One week later, it became apparent the data set was only the tip of the ice berg.
While originally assumed to be a rare find, "Collection #1" with its 87 GB and 12,000 individual files, was quickly overshadowed by "Collection #2" and "Collection #5", totaling 600 GB. The sets are still being analyzed but, so far, 2.2 billion email addresses and passwords have been identified, not all of them in readable clear text, though. It's likely the data was stolen from various companies and other facilities over an extended period of time. And since the lists are now easily accessible by anyone through common search engines, it's high time you changed your passwords.
The problem for many is they use the same combination of email address and password for multiple portals and services. Once hackers get hold of a collection, they tend to employ a strategy called "credential stuffing" that involves automated login requests directed against web applications. The more accounts are linked to a single email password pair, the higher the success rate (Amazon and eBay are common first strike targets). Social networks are also frequently targeted, so be wary should you suddenly spot ads on one of your friends' profiles - they might be affected. Check out the dedicated website of Hasso-Plattner-Institut to find out whether your email address is affected. The institute maintains a database of over 8 billion (!) user accounts that stem from data leaks and will send a detailed report to the email address specified.
What is still secure now that the passwords are known?
So far, one in two users has received bad news, meaning their personal data have been disclosed online. I myself have tried all email addresses I could remember. Result: Apart from an old address I haven't used in at least 8 years, none were affected. They've likely found an ancient data set that is irrelevant today - that does nothing for the uneasy feeling I still have, though. Admittedly, my pulse was slightly elevated when I received my reports from Hasso-Plattner-Institut.
For those who are affected: Make sure to switch your accounts to stronger passwords and feel free to check out my older blog article on how to come up with secure passwords, i.e. anything but "1234". Generally, I recommend you use a password manager in case you're a frequent visitor to online portals and stores. Password management software creates cryptic and secure passwords for the various sites you visit and keeps them in a secure vault accessible through a master password. This way, you'll have to remember a single password instead of many and the software will fill in password fields for you automatically as soon as you visit any of the the affected sites. Best of all: The program never forgets your passwords. You may also consider changing your passwords at regular intervals. Yes, that can be cumbersome, especially for multiple accounts, but you'll have to worry less about data leaks. If possible, you can also enable two-factor authentication, particularly for data or cost intensive transactions, and introduce a second entity, e.g. your cellphone or a dedicated security key, into the authentication process. Whichever approach you chose, may your data stay safe!
What I would like to know: Have you already visited the website of Hasso-Plattner-Institute (https://sec.hpi.de/ilc/search?lang=en)? Are you affected?