The original data collection had a staggering 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords. The data was also being distributed on a popular public hacking forum.
The monster data dump goes by the prosaic "Collection #1" and contains 1.16B unique combinations of email addresses and passwords, but only 772 million unique email addresses. If it hasn't, you can breathe a sigh of relief. "Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because it's subsequently been breached and you've been using that same password all over the place, you've got a serious problem". As remembering unique passwords at every site can be hard, it is also suggested that you use a password manager to help organize your passwords. Users can visit Hunt's website and enter the email address or even the password to see if the same has been exposed.
It may be time to change your passwords again. All you need to do to check if you've been compromised is to head to the site and put in your email address.
"Data breaches occur through weak credentials, poor password policies, lack of multi-factor authentication, unnecessary exposure of systems and services to the internet or unpatched vulnerabilities", said Alex Hinchliffe, threat intelligence analyst at Unit 42 - a threat research team at American cybersecurity firm Palo Alto Networks. Using the leaked data, you can plug in the username and password to access these accounts.
Hunt said multiple people alerted him to the existence of Collection #1 last week.
The data, since removed, is known as Collection #1. The site doesn't store any passwords, though he has added a similar tool that lets you input a password to see if it too has been compromised.
Hunt also advises everyone to grab a password manager.
Conversely, Motherboard judged Collection #1 to be considerably less risky than the most alarming headlines, since some of the information is duplicated from older breaches, and numerous email accounts listed in the massive hacker database were not accompanied by passwords. "Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before".
You should change the passwords on any email accounts that have been leaked. Nonetheless, that leaves about 140 million email addresses that haven't previously popped up in disclosed data breaches.
"It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web", Hunt wrote in his blog post on the breach.