January 17, 2019 // 10:59 a.m.
A massive dump of leaked email addresses, usernames, and passwords containing 773 million unique records, dubbed Collection #1, has hit file sharing service Mega, and anyone whose details are contained therein is advised to make sure they're not reusing passwords between services.
First announced by Troy Hunt, the security researcher behind leak-monitoring platform Have I Been Pwned, Collection #1 is one of the largest leaks in history: Gathering credentials from numerous individual breaches, the data dump contains 2,692,818,238 rows with 1,160,253,228 unique email address and password combinations - though further cleaning of seemingly-junk entries reveals 772,904,991 unique email addresses and around 21,222,975 unique passwords.
'Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, Mega (the data has since been removed from the service),' Hunt explains. ' The collection totalled over 12,000 separate files and more than 87GB of data [...] (allegedly) from many different sources. The post on the forum referenced "a collection of 2000+ dehashed databases and combos stored by topic" and provided a directory listing of 2,890 of the files. Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all. However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago.'
While copies of the raw data are still floating around after its removal from Mega, those who may be affected by the leak have an easier way to check: Entering an email address into Have I Been Pwned, or a domain under your control to check multiple addresses at the same time, will reveal whether it is found in the Collection #1 database - or any other leak or breach tracked by the service. For those who reuse passwords - a dangerous practice which means a breach of an unimportant service can provide credentials valid for more important sites like banking - Hunt has also launched a secondary feature allowing individual passwords to be checked against all tracked breaches and leaks - a process which he admits requires the user to trust his claims that passwords entered into the site are anonymised client-side and never transmitted to Have I Been Pwned.
For those affected by the leak - and for everyone else, for that matter - Hunt has two pieces of advice: 'If you're reusing the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it's available.'