Collection #1

A gigantic trove of email addresses and passwords containing over 2 billion records has been discovered online.

The breached data, dubbed “Collection #1” by cybersecurity expert Troy Hunt, is more than 87 gigabytes and contains roughly 773 million email address and 21 million unique passwords. Hunt found an archive of the data on MEGA, a file-sharing site and has been featured on at least one hacking forum.

Hunt transferred the compromised emails and passwords to the website haveibeenpwned.com, where users can check to see if their account data was compromised.

The good news is that the data in Collection #1 seems to be at least two to three years old and much of the data there is reportedly comprised of information from other breaches, meaning that anyone who regularly updates their passwords to their online accounts has less reason to worry.

“If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that,” said security expert Brian Krebs on his blog.

The bad news is that Collection #1 seems to be a subset of a significantly larger data collection being sold online containing nearly 1 terabyte of compromised and hacked passwords. “Sanixer,” the hacker selling the data for $45 claims that the full set contains user data that is “less than a year old” and was aggregated from “dumps and leaked bases.”

The general consensus for what consumers should do following  the Collection #1 breach will likely be the same as it has been for data breaches in the past, and will be for its potential sequels:

  • Update passwords regularly.
  • Don’t re-use the same passwords on multiple accounts.
  • Sign up for 2-Factor authentication on any accounts that support it.