FA+
Shop
Collection #1 Password Breach
6 years ago
Heads up
Earlier this month, a gigantic collection of email addresses and plaintext (meaning unencrypted) passwords was discovered circulating the web, involving over two billion combinations. Known as "Collection #1", this is a huge security risk and very, very easily could have affected everyone here, hence the dedicated announcement.
What to do
First of all, don't panic. These aren't an ongoing problem, they were gathered once and after changing your password on an affected account it will no longer be vulnerable. Use services like haveibeenpwned.com to check your email addresses and passwords to check if they were potentially affected, and which passwords you'll need to change.
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords
https://haveibeenpwned.com/PwnedWebsites
Second, get yourself a password manager of some sort. Google has one built right into Chrome, which is actually quite nice, but it doesn't really work for anything besides Chrome, so you can't really use it for game passwords or whatever. A better idea would be to get something like LastPass or 1Password, which are dedicated password managers that, as the name would imply, mean that you only have to remember one password, and it's the last password you'll have to remember.
https://www.lastpass.com/
https://1password.com/
Third, stop reusing old passwords. If your password appears in that list in conjunction with a username you've used it previously on, any future websites you make an account on using that combination are automatically insecure. The point of a password manager is to allow you to have hypercomplex passwords that are all unique to each account ("ceGXe2*1KF&Dxz2hYk6V" is one that I generated just now with LastPass). If you can remember all your passwords, then there's a problem.
Final notes
I know this is work and you probably might not want to do anything about it, but the truth is this kind of thing is actually a huge problem, and could be potentially catastrophic if a password you used for, say, your bank account was one of the ones that were breached. If you don't particularly care about an account on something, then that's fine and you shouldn't worry about it unless, again, it has access to your bank information. Once you get a password manager, though, it'll actually make your life quite a bit easier and a heck of a lot more secure than it used to be, making it one of the rare security measures that actually removes work.
Earlier this month, a gigantic collection of email addresses and plaintext (meaning unencrypted) passwords was discovered circulating the web, involving over two billion combinations. Known as "Collection #1", this is a huge security risk and very, very easily could have affected everyone here, hence the dedicated announcement.
What to do
First of all, don't panic. These aren't an ongoing problem, they were gathered once and after changing your password on an affected account it will no longer be vulnerable. Use services like haveibeenpwned.com to check your email addresses and passwords to check if they were potentially affected, and which passwords you'll need to change.
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords
https://haveibeenpwned.com/PwnedWebsites
Second, get yourself a password manager of some sort. Google has one built right into Chrome, which is actually quite nice, but it doesn't really work for anything besides Chrome, so you can't really use it for game passwords or whatever. A better idea would be to get something like LastPass or 1Password, which are dedicated password managers that, as the name would imply, mean that you only have to remember one password, and it's the last password you'll have to remember.
https://www.lastpass.com/
https://1password.com/
Third, stop reusing old passwords. If your password appears in that list in conjunction with a username you've used it previously on, any future websites you make an account on using that combination are automatically insecure. The point of a password manager is to allow you to have hypercomplex passwords that are all unique to each account ("ceGXe2*1KF&Dxz2hYk6V" is one that I generated just now with LastPass). If you can remember all your passwords, then there's a problem.
Final notes
I know this is work and you probably might not want to do anything about it, but the truth is this kind of thing is actually a huge problem, and could be potentially catastrophic if a password you used for, say, your bank account was one of the ones that were breached. If you don't particularly care about an account on something, then that's fine and you shouldn't worry about it unless, again, it has access to your bank information. Once you get a password manager, though, it'll actually make your life quite a bit easier and a heck of a lot more secure than it used to be, making it one of the rare security measures that actually removes work.
In a nutshell, KeePass is feature rich and rather complex but if you want to store your password in "Fort Knox", it can bring you a few steps closer to that.
Another one I have been trying out is Enpass tho I have to add that it's not an entirely free product. You can add up to 20 passwords (or other types of information) to your database, after that you need to get a license. The mobile app is pretty handy though, while I don't use it very often it's good to have if you want to access your stuff on your phone too. Synchronisation is done using a cloud service - DropBox as well as the one from Microsoft and a few others.
Btw., there are are quite a few programs out there, it's always good to try them out first (preferably with test data) before switching!
This leads me to believe that a lot of the dumps contain email addresses that might not exist, but have a high probability of existing or at the very least have a high probability of being created sometime in the future.
It's also possible that some of the dumps are actually aggregations of multiple different dumps that were all posted under one name, which could lead to seemingly corporate email addresses being returned under breaches of "game" websites (that or someone is really slacking off at work).
Another thing I noticed was how consistent the results were for the same email addresses. Whenever you test the same email, it always returns the exact same results as before. Additionally, it includes results for breaches that it had no good reason to connect it to (it noticed a breach in neopets for my personal email, which is a website I haven't even been to in over a decade).
The creator of HIBP, Troy Hunt, is a regional director for Microsoft, and is very visibly and publicly outing himself as the creator of the website. He posts a lot of articles on the topics of the breaches he records in the utility, and generally is putting way too much effort into this for it to be a simple fake or hoax. Since it's likely not just a simple fake, that means either he has some nefarious ulterior motive (in which case why would he say he's the owner and creator of the site in case it's discovered?) or it actually is what it says it is.
tl;dr - I don't think it's a simple fake, it's too convincing and too much effort was put into it. I don't think it's a nefarious scheme to steal all our passwords and emails, the creator is too open about it. Therefore, I believe it's actually what it says it is, and simply has a number of cases in which false positives are returned.