One of the single largest public data breaches in history was recently discovered, and it includes more than 770 million unique email addresses and over 21 million unique passwords. The massive breach was first reported by cybersecurity researcher Troy Hunt, who received multiple tips about the data’s availability on a popular hacking forum. The breach, which some are calling the “mother of all breaches,” appears to be a combination of more than 2000 smaller data breaches and leaks over a broad time period. Given the vast scale of the data dump, chances are good that your personal and/or company’s data can be found in the 87 gigabytes of leaked information.

What Happened?

The leaked data was made available for download through the well-known MEGA cloud storage service before being removed a few days ago. Initial reports indicate that the data may have been first posted online as early as October 2018. For a sense of scale, the breach, dubbed “Collection #1,” is more than five times larger than the headline-grabbing 2017 Equifax data breach that affected 148 million Americans. The leaked data set appears to include data from a variety of sources, including some data stolen between two and three years ago, as well as older data dating as far back as 2008. The passwords leaked in the data dump were decrypted by the hackers, and can be easily misused by any unscrupulous downloader. Most concerning of all, however, is that Collection #1 may just be the tip of the iceberg.

In an interview with the anonymous party offering to sell Collection #1 for just $45, security journalist Brian Krebs reported that the seller was also offering to sell several more volumes of stolen data, including downloads entitled Collection #2 through Collection #5. The seller also provided evidence suggesting that the additional collections were much larger than the leaked Collection #1, and contained data from more recent data breaches. Time will tell whether this is the largest hacked data leak in history.

What is the Risk?

We already know that the leaked email addresses and passwords from Collection #1 (and other breaches) are in the hands of hackers looking to illegally profit off the data. The question you should ask yourself is what is the risk of harm? Or, if you are a business owner, what does the breach mean for your business? The answer largely depends on one major risk factor: password reuse.

If you, your business’ customers, or your employees reuse the same passwords across multiple online accounts, you are at a significantly higher risk of harm from breaches like Collection #1. Using a technique known as credential stuffing, hackers can automatically test thousands of known email & password combinations across thousands more websites and accounts. That means that if you used the same password for your streaming music service, work email, and Amazon account, all three accounts could be at risk due to a single breach. Similarly, if an employee accesses your company’s computer system using the same password he or she used in one of the 2000+ breached databases contained in Collection #1, your company systems would also be vulnerable. Collection #1 should be a wake-up call for everyone who reuses passwords, because no matter how strong your password or how good your other security measures, password reuse makes a hacker’s job easy. The breach is also a stark reminder that security breaches at unrelated organizations can still affect your company’s IT systems.

What Can You Do About It?

 Your first step should include determining whether you or your business’s data was compromised by the Collection #1 breach. You can easily cross check your email addresses and passwords against a database containing the Collection #1 data, in addition to thousands of other known public data breaches. Companies can also do a domain search to see if any users’ passwords within their organizations were hacked. If you were not affected (lucky you!), you should still take the opportunity to review and improve your password and security practices. If, on the other hand, your password credentials were compromised, your focus should be on recovering from the breach by securing your accounts, fixing existing vulnerabilities, and preventing future harm.

Individuals can recover from breaches like the Collection #1 leak by immediately changing all affected passwords, enabling two-factor authentication for any accounts that enable it, and paying close attention to financial accounts and credit monitoring. Individuals can also minimize future harm by choosing strong, unique passwords for all new accounts, and never, ever reusing old passwords. A password manager can do wonders here, and is one of the few security measures that actually makes life easier. Use one.

Businesses have a steeper hill to climb. To begin, affected businesses should already have a detailed cybersecurity incident response plan, and should immediately assemble their incident response team, and follow the documented plan. If no such response plan exists, business owners should seek third-party assistance in responding to the breach to ensure all practical and legal obligations are met. Next, it is prudent to begin securing company systems by disabling any affected users’ account access and forcing password resets. A secondary measure may also include strengthening internal password policies by prohibiting use of any passwords exposed in the breach. After securing operations, businesses should determine whether any unauthorized access to company systems actually occurred. Breach response teams should review access logs and other data sources to identify suspicious log-ins or data traffic, especially for compromised user accounts. Computer forensic services can assist in this process if needed. Depending on the conclusion of the analysis, companies should either set about repairing any damage caused from the breach, or breathe a sigh of relief that no actual breach occurred. No matter the conclusion, the incident should be fully documented, and reported to any required parties in accordance with relevant legal requirements.

After the dust has settled, businesses should take the opportunity to review and update existing incident response procedures, information security policies, and other internal security mechanisms to ensure preparedness for future cyber-threats. Whether or not you or your business was affected by Collection #1 or any as-yet unknown future breaches, individuals and businesses alike can minimize their risk through awareness, planning, and following preferred security practices. When it comes to cybersecurity, there is no question that an ounce of prevention is worth a pound of cure.

For more information on this or other data security & privacy issues, contact Nadeem Schwen.

January 18, 2019