It’s time to change your password again.
More than 87GB of passwords and email addresses have been leaked and distributed in a folder dubbed “Collection #1” by hackers in a significant data breach.
As detailed by security researcher Troy Hunt, the trove of nearly 22 million unique passwords and more than 772 million email addresses was hosted on cloud storage service MEGA.
The link to the dump was posted on a hacking forum, but has been since taken down from the service.
New breach: The “Collection #1” credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
Hunt explains the cache of emails and passwords were built up from numerous data breaches from allegedly thousands of sources, dating all the way back to 2008.
He came across the collection of files after he was alerted by “multiple people” last week, and discovered the breach even includes an email address and password he used years ago.
“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public,” he wrote.
“Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again.”
Hunt has loaded the email addresses and passwords into his site, haveibeenpwned, which allows people to be notified when their email has been tangled in a breach, or check if a password has been exposed and is thus unsuitable for use.
After you’re done checking whether if your email address or password has been compromised, it’s worth looking into a password manager, or even an analog one like a notebook, where you can store difficult to remember passwords in.
“It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web,” he added.