The recent data breach in MEGA, a popular cloud service, leaked about 87GB of data including 772,904,991 unique email addresses and over 21 million unique passwords and distributed in a folder dubbed “Collection #1” by hackers.
This breach was first reported by a security researcher, Troy Hunt. The link to the dump was posted on a hacking forum, but has been since taken down from the service.
New breach: The "Collection #1" credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
According to a Wired report, “While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.”
“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There’s no obvious patterns, just maximum exposure”, Hunt said.
Hunt has uploaded all the email addresses and passwords into his site, haveibeenpwned. This allows users to be notified when their email has been tangled in a breach, or check if a password has been exposed and has to be changed.
Wired states that around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database. This means that they do not just duplicate from prior megabreaches.
“These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use”, Hunt said. He also said that all this data was openly available to anyone on the popular cloud storage site and then on a public hacking site.
The only way to stay safe is to never reuse a password for multiple sites. Hunt says, “It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web.”
To know more about this breach in detail, visit Troy Hunt’s blog post.