The ‘Biggest EVER’ Collection of Hacked Passwords Is Not That Bad

Someone put together a massive list of 773 million unique email addresses and 21 million unique passwords. But there’s really no reason to panic.

|
Jan 17 2019, 5:16pm

Image: Cathryn Virginia/Motherboard

If you casually browse tech news today you may come across some scary stuff: millions and millions of emails and passwords (perhaps even yours!) have been dumped online.

Gizmodo called it the “mother of all breaches.” Wired said it’s a “monster breach.” The Daily Mail went with “Biggest EVER collection of breached data.” Mashable advised readers to change their password—again.

But hold on, do not panic.

If you’ve followed our work at Motherboard, you know that millions of passwords get dumped online pretty often. In 2016, for example, we revealed that hackers were trading 427 million MySpace passwords, and 117 million LinkedIn passwords.

This new breach, which is being called “Collection #1,” is actually not that bad compared to other massive breaches in the past if you carefully read what data was exposed. According to Troy Hunt, the security researcher who first reported and analyzed it, this collection of credentials includes 773 million unique email addresses, and 21 million unique passwords.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

But there are some key mitigating factors here. First, as the name suggests, this is a collection of several old data breaches. In fact, of the 773 million unique emails in this collection, only 141 million (around 18 percent) were not included in Have I Been Pwned, Hunt’s invaluable resource of hacked data. And of the 22 million passwords, half were not in the database.

This means that most likely, your old, simple password was already breached a while ago and you should’ve been notified either by the service that was breached or by Have I Been Pwned a long time ago.

As Hunt puts it in his level-headed and informative post, “my hope is that for many, this will be the prompt they need to make an important change to their online security posture.”

That important change you need to make is to make sure to use unique passwords (don’t feel too ashamed, we all re-use passwords but we really need to stop doing it), and enable two-factor authentication wherever you can, as we suggest in our Guide To Not Getting Hacked. Pretty much the only real risk for your online safety when something like Collection #1 happens is cybercriminals breaking into your account using so-called “credential-stuffing.” These are automated attacks where hackers just try every possible combination of email and password from a database they own to log into popular services.

If you use a unique password and two-factor, these attacks will just not work.

Changing habits is hard. And setting up all your password and accounts to a password manager does take a bit of time and patience. But once you do it, you never have to do it again, and password managers actually make your online life easier by autofilling password fields, and even alerting you if your password is not unique.

So, no, no need to panic or freak out. But maybe this is a good day to finally install that password manager app you’ve been hearing about from your more paranoid friends.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.