Today, one of the largest data breach data sets was released containing roughly 773 million unique records of email addresses and passwords.
Microsoft Regional Director and MVP Troy Hunt obtained the original data set, titled ‘Collection #1’ from a hacker forum. The original data set contained 2,692,818,238 rows of email addresses and passwords. That’s right, nearly 3 billion records. It appears to be a collection of records from many different breaches, some as far back as 2008, all combined into one massive data set.
The original data set was analyzed to make the data legible. Rows were removed that included hashed passwords, duplicate entries, and rows that contained SQL. This ultimately created a database that contained the 773 million records.
Side note: pwned = owned. Gamers use this term when something happens in a game. It started with gamers typically mistyping owned, hitting the ‘p’ instead of the ‘o’. Now it is common practice to use pwned instead of owned. Example: “Dude, you just got pwned!”
This database was then uploaded to the website have i been pwned (hence the title), which is operated by Troy Hunt. This is a free service that will tell if your email address has been released due to any data breaches. It will also indicate if a password was taken along with the email address. Lastly, the site can be used to test passwords to see how often they occur. For example, if you type in “P@ssw0rd”, which incidentally, meets most password strength criteria (upper case, lower case, number and 8 characters long), you will see that the site has seen that password 51,259 times. This indicates that this is a fairly common password and may be used in a dictionary based attack.
We Strongly recommend you check if your email address have been a part of the breach.
If you visit have i been pwned, which we urge you to do, and you search for your email address and the tool finds that you have been part of a breach, this does not indicate that your current password for that account has been compromised. It may indicate that a previous password has been compromised. Nonetheless, if your email account has been found to be part of a breach, we strongly encourage you to change that password, like right now!
What can you do to keep your accounts, and yourself, safe online.
- Do not use the same password for multiple sites. Although this may be impractical, it is the only way to ensure that if one password does get compromised, other services linked to your email account will not be.
- Use a password manager. A password manager will make storing all of your password significantly easier. By using a password manager you can randomize passwords without the burden of remembering all of them. In fact, many password managers have a random password generator built in.
- Use 2FA (Two Factor Authentication) wherever possible. If your password is compromised, the attacker will not be able to log into your account without the secondary security code. Typically, 2FA relies on a security code sent to a cell phone via text or a 2FA app such as Google Authenticator.