A massive database containing nearly 773 million unique email addresses and over 21 million unique passwords was recently found to be hosted on cloud service MEGA by security researcher Troy Hunt, providing an indication of exactly how hackers have been able to obtain email addresses and passwords of millions of people over the years.
According to Hunt, who blogged about the find in his popular website Have I Been Pwned?, the said data dump, dubbed Collection #1, contained 1.16 billion unique combinations of email addresses and passwords and even though the data wasn’t neatly formatted, it allowed scores of hackers and cyber criminals with enough information to carry out credential stuffing attacks on a major scale.
Collection #1 the largest breach ever
The unearthing of Collection #1 hosted on MEGA is now officially the largest data breach ever, even larger than an unsecured cloud server based in the Netherlands which was unearthed by Hunt in August 2017 and contained as many as 711 million email addresses and passwords, which Hunt describes as ‘almost one address for every single man, woman, and child in all of Europe’.
Following a detailed analysis of Collection #1, Hunt noted that almost all of the email addresses and passwords included in it were added since 2015, even though there were a few files that dated back to 2008. Considering that hackers now have access to millions of email and password combinations of people who are unaware that their accounts have been compromised, the use of two-factor or multi-factor authentication by people would certainly prevent hackers from leveraging the database to cause further damage.
Greater focus on automation to prevent breaches in 2019
“Unlike previous high profile data dumps, where the data all comes from one compromised party, this appears to be a carefully curated collection of dumps from a large collection of compromises. A brief skim of the alleged sources suggests that these are smaller online entities that likely have not spent much time or resources on security. Some of them may not even be aware that they have been compromised some time ago, and that the data may originate from years earlier,” says Nick Murison, managing consultant at Synopsys.
“Such a large data leak underscores the need for all companies to invest in security as part of their software development. This includes both establishing activities such as threat modelling early in development and penetration testing as part of ongoing operational activities, as well as investing in tools and automation to ensure security defects are discovered as part of regular development and testing phases.
“With data protection laws becoming increasingly strict (e.g. GDPR), there is no excuse for a company not to be thinking about the risk of data breaches in 2019. This goes for companies developing their own systems as well as companies that decide to outsource development; you cannot outsource the responsibility you have to safeguard your customers’ data,” he adds.
Javvad Malik, a security advocate at AlienVault, also said that the silver lining about the Collection #1 breach is that companies can use the data from the unsecured database to enrich their detection capabilities by proactively looking at credential stuffing attacks, or blocking users from reusing passwords that have been compromised.