It may be time to change all your passwords. If you thought Facebook leaking your data to a third party was bad, wait till you hear this. As many as 772,904,991 unique email addresses and over 21 million unique passwords have been leaked online. This specific data dump, called as "Collection #1," is an aggregation of multiple leaked databases that include passwords that have been cracked and holds within itself 2.7 billion records.
The data set was first reported by security researcher Troy Hunt, who run the Have I Been Pwned website. This website lets you confirm if your email address or password have been compromised by a breach at any point of time. Hunt, in a blog post confirms, “the unique email addresses totalled 772,904,991 and there are 21,222,975 unique passwords.”
The Collection #1 is over 87GB worth of data, and contains over 12,000 separate files. As it turns out, this data leak was posted on the cloud based sharing website, Mega. Hunt refers to Mega as a “hacking forum” and clarifies that this data seems to have been taken down since.
The way logins on most websites work is that these websites themselves don't store your password. However, what they instead store is a "hash" of your password, which emerges after a complex mathematical calculation that spits out a long string of numbers and letters instead. The next time you log in using the same credentials on the website, and type in the password, the authentication process runs the password through the same calculations, and if the created hash matches the original one, you are allowed to access your account. The latest breach clearly suggests that these hashes, let us say a protective layer for your passwords, has been safely cracked. The hackers have collected and presented your passwords in plain text form in this Collection #1 dump.
Now, how do you find if your email has been impacted?
Hunt has loaded the data into Have I Been Pwned. What you need to do is head to this website, and type in your email address to know if your account has been compromised, and if yes, how many previous breaches it has been a part of. The additional data also tells you exactly how much of your data was revealed in each of the breaches—email address, password, user name, IP addresses, geographic location, government issued ID documents, phone number, physical address and more.
Secondly you can head to Have I Been Pwned’s companion platform called Pwned Passwords, and type in any password combination that you use to see if that particular combination has ever been leaked in any of the previous data breaches.
The sheer scale and size of Collection #1 and what it reveals is huge. This is one of the largest data breaches in the history of the world wide web, if not the biggest. It is worrying to note that this entire collection was available in the public domain, on the world wide web, for a significant period of time. Till Mega took it down, that is.