On January 17, Troy Hunt, an independent cybersecurity researcher and Microsoft Regional Director, posted that he had found a large collection of files containing email addresses and passwords obtained in numerous data breaches, from which data were being socialized on a hacker forum. Hunt calculated that the collection of files, located on the MEGA cloud storage service that Internet entrepreneur Kim Dotcom founded, included 1,160,253,228 unique combinations of email addresses and passwords. After cleanup of the data, Hunt found a total of 772,904,991 unique email addresses and 21,222,975 unique passwords.
Hunt stated that he has now loaded the cleaned-up data on a website, have i been pwned?, on which he has previously loaded similar data from many other data breaches (such as Adobe and Ashley Madison), to allow members of the public to check their own online credentials against the data. For security reasons, Hunt separated the search features for email addresses and passwords: email addresses can be searched on the have I been pwned? homepage, and their passwords at Pwned Passwords.
Note: Chief information security officers and corporate compliance officers should make use of this report in two ways. First, in explaining to corporate officers and employees the scope and scale of cybercrime, they can cite Hunt’s calculated total of more than 772 million hacked email addresses and more than 21 million unique passwords – the largest collection of breached data that Hunt has found and loaded onto his site – as a recent instance of the volumes of data that hackers routinely work to target businesses, government agencies, and individuals. Second, they should consider making use of have i been pwned? and Pwned Passwords in live briefing and training sessions, to show corporate employees that the need to pay attention to cybersecurity and change passwords is urgent and important. Hunt is a highly knowledgeable and respected cybersecurity researcher, speaker, and trainer, and Fox Business reported that millions of people have used his website since its creation in 2013 to check their identifying data.
In any event, readers of this blog should check their details and, whether or not they find their data have been breached, take to heart fundamental rules of personal cybersecurity that Hunt and others have stated many times: Never reuse a password; if you have, change those passwords; and use a password manager to handle the multiplicity of your passwords. Simple steps are still key to reducing the risk of having your personal or business data hacked and misused.