The Details of at Least 773 Million People Surfaced on a Free Cloud Storage Service

The details of at least 773 million people surfaced on free cloud storage service last week, reported Troy Hunt, Australian web security expert, and administrator of Have I Been Pwned (HIBP) website. As you might already know, Troy has been collecting data from many data breaches over the last five years. He has been compiling it into a single database, so people have the opportunity to search across multiple data breaches and find out if their details have been compromised at some point in the past. The website allows searches by password and email.

When we heard the news about what Gizmodo calls the ‘mother of all breaches,’ we initially thought that Troy Hunt and his database had been hacked. However, this was quickly debunked as Troy himself confirmed that he is the one who actually found the pile of stolen data. He called the breach ‘Collection #1’ and highlighted that this is the ‘single largest breach ever to be loaded into HIBP.’

This incident shows that Troy Hunt was not the only one who has been piling up information from past data breaches. An anonymous hacker uploaded approximately 12,000 files containing 772,904,99 emails and 21,222,975 unique passwords into a single large database. Troy reported that the 87GB worth of stolen data was published on a free cloud service called MEGA. What makes this breach particularly interesting is that this is the first part of a much bigger database of stolen data. Troy Hunt reported that he is in possession of four more collections, and he is currently reviewing them. He will be making a call on what to do with them after investigating them further. MEGA has since deleted the database.

While most of the data included in ‘Collection #1’ was already in HIBP, the data in collections #2 through #5 may end up making this one of the biggest data breaches ever seen. It is currently unknown if collections #2 to #5 are as big as ‘Collection #1’. If the remaining four collections are as significant as the first one, this may end up exposing details of billions of people.

What should you do?

The database is compiled of old data breaches, so if the data comes from known breaches, you most likely have been notified either by the service or by HIBP to change your password a long time ago. However, quite often data breaches sometimes take years to be discovered, so regular password changes are strongly recommended. Avoid using the same password on multiple platforms. The cybersecurity budgets of some companies are significantly lower when compared to others – we are confident JP Morgan Chase spends more on developing stronger security when compared to a t-shirt store. But if the passwords you use at both organizations are the same, hackers can steal your details from the weak organization and use the login credentials to get unauthorized access to services such as your internet banking.

You can easily check if your passwords or email addresses have been part of ‘Collection #1’ or if they have been pwned in the pat. You can search if your emails have been pwned here, and learn if your passwords are part of the breach by testing them here

Last but not least, have anti-virus software installed on all your connected devices. Most of the times high-quality anti-virus software comes with a password manager that will help you always know your password. Apart from the password management options, such software could also prevent hackers from stealing the missing piece from the puzzle that would allow them to make you a victim of cybercrime.

Download your Antivirus