In cybersecurity, breaches are something you can't really immunize your site against, you just kind of have to do the best you can to secure things, and hope it holds.
Sometimes you get slightly unlucky, and sometimes much more so. Much much more.
The Equifax breach in the US was one of the largest and most damaging in recent history, exposing the banking and personal details of millions of users. This latest one is worse, with 772,904,991 unique email addresses and over 21 million unique passwords exposed, all at once.
The data was first uncovered by security researcher Troy Hunt, who runs the website Have I Been Pwned. It's a database of past breaches, setup in such a way that you can't scroll through, but you can search for any of your accounts that have been leaked. If it's on there, you should be changing your password.
Hunt's latest discovery, currently entitled 'Collection #1', is the single largest breach on his site by a huge margin. He says he found it all recently on a popular hacking forum, where it had been uploaded to the cloud storage service MEGA, where it sat in a folder by under the name it's been given right now.
Troy Hunter/Have I Been Pwned
In fact, the original collection was larger, as Hunt had to clean it up to eliminate duplicates and unusable strings of data. It was originally closer to 2.7 billion rows of addresses and passwords in more than 12,000 files amassing over 87 GB.
Also Read:?Your Hacked Facebook Account Logins Are Being Sold On The Dark Web For As Low As Rs 220
Unfortunately, he's not sure where the data came from. Because of the sheer size and variety of the details, he believes they're from a number of sources, probably that used the same kind of protective hashing for passwords, which has likely been cracked
"It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers," Hunt told WIRED. "There's no obvious patterns, just maximum exposure."
This is certainly one of the widest-ranging breaches to ever become public. In fact, by volume, it's only topped by the massive Yahoo breaches which affected 1 billion and 3 billion people.
The biggest worry here? There's enough data for something called a credential stuffing attack. That's where hackers take a massive amount of login data like this, and they automate a process that attempts to sign in to a variety of services, using various combinations of email and password from the trove. It's bad in general, and it's especially bad for those of you that reuse passwords for various services across the Internet.
The only thing going for you here is that, since the dataset has gone public, you can find out for sure if you've been compromised. Then you can at least get to changing those passwords. Additionally, there's also a fairly new password search feature to determine if your passwords have been leaked separately, though it won't tell you from which accounts.