02/11/2019
Massive “Collections #1-5” Data Breach: What You Should Know
Over the past several weeks, you may have seen news stories announcing more “mega breaches” of personal account data, now believed to impact upwards of 2.2 billion accounts. Credentials of one or more of your accounts and likely those of your friends and family may be compromised. While this was NOT a U-Haul breach, we feel it is best to make you aware of the issue so you can protect yourself.
What happened?
In January, news broke that files containing approximately 773 million emails and passwords were openly and freely being shared online. This collection of files, called a “data dump,” was being referred to as “Collection #1,” and was one of the largest data dumps yet. Since then, other researchers have identified additional databases now being called “Collections #2-5,” which include more than 2.2 billion compromised account credentials. Researchers have determined this data is not newly compromised data, but a compilation of stolen data from many previous data breaches over the years.
What is the risk?
The data from these files is expected to be used in “credential stuffing” attacks, which is the act of attempting to sign into websites using email and password combinations. Normally, criminals may use large lists of possible passwords to attempt to login to users’ accounts, but with data dumps like these, they no longer even need to guess. They already have the actual username and password to login to these accounts!
But, cyber criminals don’t stop there. They will also attempt to access other websites using the same email address and password combinations. Spammers also often send extortion emails using your known password to "prove" that they have hacked your account(s) and threaten to release information about you online or to your contacts if you don't pay them a ransom in Bitcoin or other cryptocurrency.
The bad guys know that far too many people are repeatedly using the same passwords across multiple accounts and/or they are using such weak passwords (such as “password” or “123456”). They also know that many other people are also using the same ones. Of the original 773 million compromised accounts, there were only 21 million unique passwords used. That means, on average, each password would match to nearly 37 accounts. We’re making it too easy for the bad guys! It’s hardly even “hacking” at this point.
What can you do?
The first step is to determine if any of your accounts have been compromised. A well known and trusted security researcher named Troy Hunt runs a website called “Have I Been Pwned?" that identifies breached accounts. (The funny name “pwned” is a play on the word “owned,” meaning compromised.) He provides a free search tool to allow you to enter your email accounts to determine if they are in any known breach.
We recommend searching all of your email accounts, both personal and work, and even those of your spouse, parents, or anyone else that you care about but know will not do this themselves. If your email accounts have been compromised, then now is the time to change your password on those accounts and any others where you may have also used the same password.
Hopefully you’ve caught on by now, but it’s a really bad idea to reuse the same password across multiple accounts. Reusing passwords creates a “one-to-many" situation in which one compromised account leads to many. Since it’s hard to remember unique passwords for every single account, we recommend using a password manager, like LastPass or similar, to keep track of your passwords. However, if you use a password manager, you must ensure that you use an EXTREMELY strong master password, and we highly encourage you to enable whatever multifactor authentication options are available to you.
On that note, while you are changing your passwords for any account that has been “pwned,” check to see if the account provider supports any multifactor authentication (sometimes called “two-step verification” or “two-factor authentication”) options. This is an added security measure that requires not only your password to sign in, but also a second challenge like a code sent via text message, a prompt on your smartphone, or your fingerprint. Without the second factor, the password alone is not enough to sign into your account.
Choosing strong passwords
Ultimately, changing compromised passwords is the low-hanging fruit here. As we’ve said in the past, the strongest passwords are unique, long and unpredictable.
1. Use a long password with at least 15 characters. Computers can guess passwords at an insanely fast rate, and the fewer characters, the easier it is to break. The longer the password, the longer it takes cyber criminals to figure them out.
2. Use complex passwords that include unpredictable combinations of numbers, symbols and lower and upper-case letters. If you follow a known pattern or use information about yourself, your password can be quickly guessed.
3. Use passphrases. Passphrases are a combination of words, numbers, and symbols that cannot be easily formed by a computer program. An example of an unpredictable passphrase that you can remember would be “ChairSidewalkBuildingCloud13” (please do not use this passphrase).
4. Do not reuse previous passwords or use the same passwords across different accounts. If one of these accounts is compromised, then they all are vulnerable, multiplying your risk. Use unique passwords every time.
Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised.
