Credit: Lucas Gouveia/How-To Geek | valiantsin suprunovich/Shutterstock
Sign in to your How-To Geek account
Summary
- Massive dump: ~2B emails and 1.3B unique passwords compiled from many breaches and logs.
- Many exposed passwords are still active; immediate password changes are essential to avoid account takeover.
- Check Have I Been Pwned now and use a password manager; stop reusing passwords across sites.
Breaches are always bad, but we often don’t find out about many of the smaller breaches, which aren’t advertised much and can be just as bad—especially if you’re the kind of person to use the same password everywhere. If you need yet another reminder that this is bad p…
Credit: Lucas Gouveia/How-To Geek | valiantsin suprunovich/Shutterstock
Sign in to your How-To Geek account
Summary
- Massive dump: ~2B emails and 1.3B unique passwords compiled from many breaches and logs.
- Many exposed passwords are still active; immediate password changes are essential to avoid account takeover.
- Check Have I Been Pwned now and use a password manager; stop reusing passwords across sites.
Breaches are always bad, but we often don’t find out about many of the smaller breaches, which aren’t advertised much and can be just as bad—especially if you’re the kind of person to use the same password everywhere. If you need yet another reminder that this is bad practice, this breached credentials dump is just what you need.
Almost 2 billion email addresses and 1.3 billion unique passwords have been uploaded to Have I Been Pwned, a database that allows users to tell whether their email address has cropped up in a data leak. This data was compiled by Synthient and was erroneously reported as being a Gmail breach at first—an explainer post clarifies that there are 32 million unique email domains as part of this trove of data, and that Gmail is the most common one on account of being the biggest email provider. It’s not even a single breach, either. It’s a massive collection of email/password pairs from many different sources (stealer logs, other breaches). These kinds of collections are used by attackers to run “credential stuffing” attacks, trying these passwords on unrelated sites (like banking, email, or shopping) until they get a match.
In theory, this is all supposed to be old data, some of it dating back to the 1990s. So why is it important? It’s notable for several reasons. Corroborating with several HIBP users, it was found that some people were still using the exposed passwords on their active accounts. One user had to “immediately” make a list of active accounts to change, perfectly illustrating that these credentials are a current danger, not just a historical one.
With nearly 2 billion unique emails and 1.3 billion unique passwords, it is the “most extensive corpus” HIBP has ever processed. The sheer volume (including 625 million passwords HIBP had never seen before) dramatically increases the probability that any given person is exposed.
You should head over to HIBP’s website now to see if you’re part of this dump or previous dumps. And while you’re at it, change those passwords and download a password manager. I can’t stress the importance of a password manager enough these days.
Source: Troy Hunt