By Richard Arneson
It’s interesting what forty-five (45) bucks will buy you these days─a small bag of groceries, a night at the movies with your significant other (if you the small-sized drinks and snacks at the concession stand), and half a parking space at a Dallas Cowboys home game. Also, and if you don’t possess a conscience, it can get you three-quarters of a billion unique email addresses.
Last week it was revealed by security researcher Troy Hunt that “Collection #1”, an unimaginative name for one (1) of the largest security breaches of all time, is a mass of data—almost 90 Gb worth—that includes 773 million unique email accounts and almost 25 million associated passwords. Yes, passwords.
Originally, the data numbered 2.7 billion records, but Hunt jettisoned the garbage to arrive at its current, apparently marketable total.
Just so there’s no confusion, Hunt is the good guy. For years, he’s been researching data breaches and alerting the public of his findings. He shared his recent, pared-down database with the site Have I Been Pwned?, which allows email addresses to be entered to discover whether they are one (1) of the unlucky 773 million. The bad guy(s) are the ones selling access to the database on a file hosting site that shall remain nameless (sorry, no free advertising for evil).
Collection #1 isn’t a new thing; it’s been around approximately two (2) years. Collection #2 came first, and actually puts its digital progeny to shame. Aside from the fact that it was named by a sequentially-challenged hacker, it totals over 500 Gb. So, if you’re keeping score at home, both collections total almost a terabyte of stolen data that is available to miscreants for the one-time fee of $45. A steal—literally and figuratively.
Hunt does offer up a sliver of solace. While he found his email address in the database, the password associated with it was one (1) he’d used many years ago. Whew. However, even if a password was used for email years ago, you may not be out of the woods. For instance, what if it’s the current password you use to log into another site, like—gulp—your bank. It could be a key that unlocks a spate of services.
Yikes! What next?
First, go to Have I Been Pwned? to discover if you’re an undistinguished member of this hacked fraternity. If so, start changing your passwords—all of them. But don’t change them once and never do it again. We’re supposed to be replacing the batteries in our smoke detectors when daylight savings time ends and begins, right? Add changing passwords into the mix. With the volume of excellent password management tools available, you have sundry options to address this problem. That’s not to say it’s a security panacea, but it can greatly reduce password-related issues.
To find out how to secure your organization’s network and mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.