A Wired report reveals that 2.2bn unique usernames and passwords have been exposed and shared online by malicious hackers.
The collection of stolen credentials, dubbed ‘Collections #2-5,’ has now overtaken Collection #1 as the biggest data leak ever recorded. Earlier this month, a hacker shared 773 million unique e-mail addresses and 21 million unique passwords, according to security researcher, Troy Hunt.
At the time, the Collection #1 breach was the biggest public breach ever, with millions of unique passwords exposed to the public. However, the latest data breach makes Collection #1 look small by comparison.
Chris Rouland, a cybersecurity researcher and founder of the IoT security firm, Phosphorus.io, told Wired that “this is the biggest collection of breaches we’ve ever seen”. This data has been circulating around on forums and has already been downloaded over 1,000 times on torrent sites.
Three times larger than Collection #1
After Troy Hunt identified the first batch of data, researchers at Hasso Plattner Institute in Potsdam, Germany, discovered the entire database, claiming that the full collection of data is three times larger than the Collection #1 batch.
The report notes that the stolen information is linked to previous breaches, including data leaks from Yahoo, LinkedIn, and Dropbox.
Researchers concluded that 750m credentials wasn’t previously “included in their database of leaked usernames and passwords, Info Leak Checker and that 611 million of the credentials in Collections #2-5 weren’t included in the Collection #1 data”.
Hasso Plattner researcher also suggests that some of the data may originate from “obscure websites”, which means that this is the first time that some of the usernames and passwords have been leaked.
Troy Hunt’s service, ‘Have I been Pwned,’ hasn’t added Collections #2-5 just yet, but users’ can use a tool developed by Hasso Plattner to check if they believe their account details have been compromised.
“Multi-factor authentication isn’t being utilised”
Frederik Mennes, the head of OneSpan’s Security Competence Centre, commented on the breach, by saying: “2.2 billion unique records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilised whenever and wherever possible.
“Companies should remember that easy targets will continue to be exploited first because cybercrime follows the path of least resistance. Technology is evolving, and next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology utilises AI and machine learning to score vast amounts of data and based on patterns, analyses the risk of a situation and adapts the security and required authentication accordingly.”
Enable 2FA or FIDO/U2F
This password leak shows that large quantities of “stolen passwords are readily available to anyone, regardless of how low their budget. However, data from recent breaches will be considerably more expensive to obtain,” said Steven Murdoch, the chief security architect at OneSpan’s Innovation Centre.
“Companies should recognise the limitations of password authentication and are in the best position to mitigate the weaknesses. They should implement additional measures, such as the detection of suspicious behaviour. Two-factor authentication, or even better, FIDO/U2F, should be offered to customers,” he added.
Mr. Murdoch advised users to avoid re-using the same passwords across multiples sites and to use a password manager to avoid falling victim to data breaches or password leaks such as this.
“The website https://twofactorauth.org gives instructions on how to enable two-factor authentication on many popular sites, as enabling 2FA, and preferably FIDO/U2F will significantly help to improve their security,” he said.