Privacy and security expert Troy Hunt has published a
warning about Collection #1 — a large
database containing more than 773 million unique e-mail addresses and more than
1.1 billion unique login-password pairs that have
come to light on the Internet.
Collection #1 is only the first release – there will be more
to come. Hunt says it is a dark web compilation from various breaches and the data
was being ‘socialised’ a.k.a. Sold in the
His blog post is sobering stuff. The chances are that you have been Pwned (Hunt’s site to check if your details are there).
Have you been pwned? I have!
I have – my private email address is on three breach sites (the Starwood breach was the worst offender) leading to me having to change absolutely every password I use on the internet and enrol in Experian Identity Works to monitor illicit use of my information.
What I learnt is that never, never re-use the same password
or variants thereof. The hackers were able to guess my password for webmail and
took that over to send spam – tens of thousands of them. Luckily, I use Outlook
365, so my mail store was secure.
They valiantly tried to hack into Google, but it thwarted
that recognising login attempts from an unseen device in a strange country. I was
locked-out of online banking due to their
incorrect three attempts.
I could go on but suffice to say that despite me warning people
about reuse of passwords I had 23 websites using the same generic password –
fortunately only a few of these like Opal, Woolworths, Coles, Myer and Airbnb had any potential for fraud.
What can you do about Collection #1?
Prevention is better than the cure. In this case, there is a
pretty good chance that every non-tin-hat-wearing person on this planet has been pwnd.
Kaspersky Labs has a pretty good article on this massive wake-up call.
Next check your commonly used passwords here. That is how I found which passwords hackers had access to. Change them quicksmart.
Kaspersky suggests using a password manager and of course recommends its own at $18.99 (more for multi-year or multiple accounts). It is for Windows, Android, macOS and iOS. Your passwords, card details and addresses are in an encrypted vault… with just one Master Password for you to remember.