Data leak – Collection #1 is the just the beginning

Collection #1

Privacy and security expert Troy Hunt has published a warning about Collection #1 — a large database containing more than 773 million unique e-mail addresses and more than 1.1 billion unique login-password pairs that have come to light on the Internet.

Collection #1 is only the first release – there will be more to come. Hunt says it is a dark web compilation from various breaches and the data was being ‘socialised’ a.k.a. Sold in the hacking community.

Collection #1

His blog post is sobering stuff. The chances are that you have been Pwned  (Hunt’s site to check if your details are there).

Have you been pwned? I have!

I have – my private email address is on three breach sites (the Starwood breach was the worst offender) leading to me having to change absolutely every password I use on the internet and enrol in Experian Identity Works to monitor illicit use of my information.

What I learnt is that never, never re-use the same password or variants thereof. The hackers were able to guess my password for webmail and took that over to send spam – tens of thousands of them. Luckily, I use Outlook 365, so my mail store was secure.

They valiantly tried to hack into Google, but it thwarted that recognising login attempts from an unseen device in a strange country. I was locked-out of online banking due to their incorrect three attempts.

I could go on but suffice to say that despite me warning people about reuse of passwords I had 23 websites using the same generic password – fortunately only a few of these like Opal, Woolworths, Coles, Myer and Airbnb had any potential for fraud.

Collection #1

Hunts database now contains 6,474,028,664 pwned email addresses (yes, 6+ billion). You had better check now!

What can you do about Collection #1?

Prevention is better than the cure. In this case, there is a pretty good chance that every non-tin-hat-wearing person on this planet has been pwnd.

Kaspersky Labs has a pretty good article on this massive wake-up call.

First, check your email address at Pwned.

Next check your commonly used passwords here. That is how I found which passwords hackers had access to. Change them quicksmart.

Collection #1

Kaspersky suggests using a password manager and of course recommends its own at $18.99 (more for multi-year or multiple accounts). It is for Windows, Android, macOS and iOS. Your passwords, card details and addresses are in an encrypted vault… with just one Master Password for you to remember.

I have not used that, and it seems like products including Norton Vault, LastPass, Keeper etc.

GadgetGuy’s take: I feel very insecure after Collection #1

I have been on the internet since the early 90s, had the same email address too. I preach, nay extol the virtues of frequent password change, no re-use etc.

Had I not been pwnd I may have simply kept preaching, but now it is a case of imploring you to all take care. Please use a paid

  • Antivirus/Malware suite on everything
  • Password manager
  • VPN
  • Never store passwords in ‘plain-sight’ in an email, notes, .txt files etc.

Sermon over.