Collection #1 Data Breach: advice on passwords
17 January 2019
3/4 billion email addresses have been affected by the Collection #1 Data Breach. The email addresses together with passwords were uncovered in a number of files on the mega.nz cloud service (they have since been removed) and analysed by Troy Hunt for the Have I Been Pwned? service.
This is a service, free to sign up to, that will alert you if your email address appears to be part of a data breach. If you are alerted then you can decide whether you want to change your email password.
Troy Hunt has written a good explanation of the breach here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
It's worth reading. But if you do nothing else, you should:
- Sign up to Have I Been Pwned
- Implement 2 factor authentication on your email accounts
- Make sure you are using a strong password - ideally 12 characters including letters numbers and capital letters and with no dictionary words or names included, remembering that hackers know that letter substitution happens e.g. @ is substituted for a. You should also consider using a password manager.
In response to the breach, Cyber Security specialist at ESET, Jake Moore says: “There has never been a better time to change your password. It is quite a feat not to have had an email address, or other personal information breached over the last decade. If you’re one of those people who think it won’t happen to you, and then it probably already has.
"Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites.”