If you haven’t changed your password after one of the countless data breaches over the past few years, the time is now.
Nearly 773 million records, including email addresses and passwords were exposed in a data breach publicized by security researcher Troy Hunt this week. Hunt said this large collection of files, which could be the largest breach yet to be made public, were collected from a number of breaches and uploaded to popular cloud service MEGA. That platform has since removed the data, which was promoted on popular hacking forums.
‘In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point.’
It’s not clear how long the sensitive records have been public, but the breach is wide-reaching. The list includes log-in credentials from more than 2,000 websites. The records were viewable to anyone with an internet connection. Troy Hunt, a web security expert and Australian regional director for Microsoft securityMSFT, +1.50% was alerted to the breach this week and independently verified the data.
“The unique email addresses totalled 772,904,991,” Hunt wrote on his website. “This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It’s after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of ‘cleanliness.’ This number makes it the single largest breach ever to be loaded into HIBP.”
You can check if your email, password, or other data appears on the list for free through his site. Hunt said even his own data appeared in the giant trove of stolen emails and passwords, despite his intensive security practices as a privacy professional.
“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point,” said Ruchika Mishra, director of products and solutions at Balbix, a security firm in San Jose, Calif.
Large breaches like these are often used for “data-stuffing attacks,” in which hackers use bots to automatically test millions of emails and password combinations across many website login pages until they gain access. This means if you use the same password across different websites, you could be at risk of being compromised, even at sites that weren’t hacked.
‘While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic.’
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” said Rami Essaid, co-founder of the bot mitigation company Distil Networks. “While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”
The breach is yet another reminder that the best way to protect your privacy is to use a password manager and two-factor authentication, said Bill Evans, a vice president at California security firm One Identity.
He added that businesses have no excuse not to offer two-factor authentication, which requires users to input a code sent to their phone or email for log in, adding an extra layer of security. “For individuals, if your bank offers it, enable it,” he said. “If your bank does not offer it, change banks.”
You can check whether your bank and any other website you use offers two-factor authentication at 2FA. Evans also suggested all individuals start using a password manager like LastPass, 1Password, or Dashlane. If you already use one of these services, consider changing all the passwords stored in it because they could have been exposed in this latest breach.
Some managers, like LastPass, allow users to do this easily through a feature called “auto change.” Hunt noted that anyone who doesn’t trust a digital manager should at least consider physically writing down passwords in a notebook — anything is better than using the same password across multiple websites.
“The real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible,” he wrote.