Security researcher Troy Hunt reported finding a set of email addresses and passwords, called “Collection #1” that totaled 773 million exposed records. The monster breach was first found on the cloud service MEGA and amounted to more than 87GB of data. Read on for the full story.
The Monster Breach – Full Story
An unknown party released a data dump called “Collection #1” on the cloud service MEGA that contained 2.7 billion records in its raw form. Security researcher Troy Hunt found the dump, cleaned it up, and found 773 million unique records.
Collection #1 seems to be a compounded dump of both known and unknown breaches. According to Troy Hunt, the 87GB dump can still be found on a “popular hacking forum”, and therefore can still be very dangerous.
Thankfully, the monster breach files only contain emails and passwords, some of which are old and out of date. However, the data can still be used for mass credential stuffing attacks (which I’ll explain shortly) as most of the passwords are de-hashed.
The good news is that Hunt has a tool (Have I Been Pawned) that can help you see if your email was part of the breach. He’s updated the tool’s database with all of the new emails he found while also updating the password-version of the site with all the new leaked passwords. This way, anyone can check and see if their email or their password is in the breach.
What is Credential Stuffing?
Seeing as the data dump only contains emails and de-hashed passwords, there’s really only one kind of attack that it would be good for: Credential Stuffing.
Credential Stuffing is when an attacker runs a list of email/password combos through a site using an automated tool to see which combos still work. These kinds of attacks aren’t usually looking for 100% success rate, which means that the only people that get affected are the ones still using the same email/password combination.
While the attack itself isn’t really complicated, it is very dangerous. The thing is, it’s also super avoidable. The whole reason credential stuffing still works today is that people tend to re-use their passwords. Securing each and every account you have with a unique and strong password is the best way to stop this kind of attack.
What To Do If Your Data Was in the Monster Breach?
If you ran your email in Hunt’s tool and found out that you’re part of the breach, don’t freak out (too much).
Yes, your email and an old password you had is in the monster breach, but that doesn’t mean you can’t do something about it.
1. Check and See If Your Passwords Are Safe
So you found you email address was part of the breach. Next, you need to check and see if your passwords were too. Use Hunt’s tool and run all of your passwords in it to see which ones (if any) are vulnerable.
I know asking people to type their password into a website doesn’t sound very “pro-privacy”. Hunt has already addressed that concern and describes how his tool works to keep any information you put in it private.
2. Change Your Passwords
Security researchers have been asking people not to re-use their passwords for a while now. However, most people don’t really take that tip into consideration. If you found that one of your passwords was in the breach, please make sure to change it on any account that you use. Remember, credential stuffing runs you email and password combo on several sites hoping to get access to any of them.
If you have a compromised password, stop using it. Start using strong and unique passwords on every account you have. Also, you need to change that password every once a while. Generally speaking, try changing your passwords every 3-6 just to be on the safe side.
3. Start Using a Password Manager
I suggest you start using a password manager to help you keep track of your new unique passwords. A secure password is complicated, you are not supposed to be able to remember it because you don’t want it to be predictable. A password manager will be able to keep track of your passwords for you without putting your information at risk. If you’re looking for a digital manager, I suggest using Hunt’s go-to: 1Password. That manager also integrated with HIBP, and notifies you the moment your data falls victim to a breach.
In case you don’t want to go the digital route, you can simply use a notebook.
4. Turn On 2FA Whenever Available
Tun on Two Factor Authentication whenever you can. Not all accounts will offer that feature, but do go for it on all that accounts that do. Do not use the SMS-based 2FA as that’s not as secure as people think it is.
If you’re a high profile internet user, I suggest you opt for 2FA authentication as it is the most secure out of the bunch.
Monster Breach – Final Thoughts
There you have it ladies and gentleman, everything you need to know about the 773 million record monster breach. While this is very terrifying news, it is still something that can be managed and controlled. The information is out there, but there’s no reason why we should keep that information valid. Changing your password and keeping up with the tips I mentioned above will help you fend off credential stuffing.