Biggest Data Breach in History: Collection #1

BlurHacks and Data BreachesPrivacyPrivacy News

Written by:

In mid-December, over 770 million email addresses and passwords were posted to a popular hacking forum. At 87 GB of data, it is the largest collection of breached data in history. You can stay safe from this and other breaches by using unique, randomly-generated passwords from Blur.

What is Collection #1?

The breach (now known as Collection #1) was discovered by security researcher Troy Hunt, who runs a breach-notification service Have I Been Pwned. Rather than a single hack of a very large service, like the recent Facebook or Marriott breaches, this breach comes from around 2,000 databases.

What is most scary is that the passwords released were “dehashed”, meaning the methods used to scramble those passwords into unreadable strings has been cracked, leaving them fully exposed.

biggest data breach 2019 collection #1 credential stuffing  password manage

Who is Responsible for the Breach?

According to Security reporter Brian Krebs, Collection #1 is just a single offering from a seller who claims to have at least six more batches of data. The identity of this seller remains unknown. Since the data was being advertised and discussed on a criminal forum, in theory almost anyone visiting that source has access to it.

Who is a Victim?

According to Hunt, the list contains about 1,160,253,228 unique combinations of email addresses and passwords,” and “21,222,975 unique passwords”. The list began “circulating broadly” last week.

About 82% of the email addresses have appeared in previous breaches shared among hackers, but about 140 million email addresses have not been seen before.

biggest data breach 2019 collection #1 credential stuffing password manage

You can check if your email address was compromised at Have I Been Pwned.

How Were Victims affected?

Hackers rely on victims re-using passwords in “credential stuffing attacks”. Once they know a password that is linked to a particular email address, they can use that log-in combination to attack several accounts belonging to that email address.

“This collection can be easily be turned into a single list of emails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working,” said Sergey Lozhkin, a security expert at Kaspersky Lab.

From there, it’s easy for attackers to do a lot of damage. According to Lozhkin, “the consequences of account access can range from very productive phishing, as criminals can automatically send malicious emails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.”

How Can You Stay Safe from Credential Stuffing?

The reason that credential stuffing attacks are possible is that so many people reuse the same password for many different accounts. Having a different combination of email and password to login to each site means that your information is less valuable to hackers.

Of course, it’s a total pain to create a new email and remember a unique and difficult-to-guess password for each account by yourself. Luckily, Blur will do these things for you.

biggest data breach 2019 collection #1 credential stuffing password manage

Every time you make a new online account, Blur will generate a Masked Email and Password for you to use instead of your personal email or a password that you’ve used before.

Masked Emails still work like your real email address–anything sent to your Masked Email addresses can be forwarded to your real personal email inbox. The sender will not know your personal address, and will not be able to connect any accounts using the Masked Email to your personal one.

The passwords generated by Blur are random combinations of numbers, letters, and special characters–they can’t be easily guessed, and you can use a unique password for each account. Blur will keep track of your passwords for you, and auto-fill your information when you login to your accounts.

On top of that, Blur is not able to access to your passwords. They are stored and encrypted in such a way that only you can see and edit your data.

biggest data breach 2019 collection #1 credential stuffing password manage

Hunt explains, “if you’re one of those people who think it won’t happen to you, then it probably already has.” Even if you’ve signed up for a harmless forum years ago that you’ve long-since forgotten about, your email and password could be compromised.

Take control of your personal information and stay safe with Blur!

About Abine

Abine, Inc. is The Online Privacy Company. Founded in 2009 by MIT engineers and financial experts, Abine’s mission is to provide easy-to-use online privacy tools and services to everybody who wants them. Abine’s tools are built for consumers to help them control the personal information companies, third parties, and other people see about them online.

DeleteMe by Abine is a hands-free subscription service that removes personal information from public online databases, data brokers, and people search websites.

Blur by Abine is the only password manager and digital wallet that also blocks trackers, and helps users remain private online by providing ‘Masked’ information whenever companies are asking for personal information.

Abine’s solutions have been trusted by over 25 million people worldwide.



Leave a Reply