On Thursday, Hunt said the data cache stolen was approximately 87GB in size (a large file made up of 12,000 separate files). It was likely “made up of many different individual data breaches from literally thousands of different sources,” he said.
The data had been uploaded to MEGA, a popular cloud service, and then posted to a popular hacking forum. The hashing of the stolen passwords had been cracked, meaning the passwords are easy to use because they’re available in plain text.
The breach means compromised email and password combos are more vulnerable for a practice called “credential stuffing,” according to Hunt.
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” he explained.
Years old
The breach could impact people who have used the same username and password combo across multiple sites.
While the Guardian described the breach as being, “the largest collection ever of breached data found,” security researcher Brian Krebs, who operates the site KrebsOnSecurity, found otherwise. He learned that the breach is at least two to three years old.
Krebs interviewed Alex Holden, CTO of Hold Security, who said the practice of collecting large amounts of credentials and posting it online “was popularized several years ago by Russian hackers on various Dark Web forums.”
“Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful,” Holden said.
Krebs discovered that the seller of the stolen data claims to have at least six more batches of data, totaling “almost 1 Terabyte of stolen and hacked passwords.”
Find out if you’re affected
To find out if your email address is affected by the breach, visit Have I Been Pwned and type in your email address and search, then scroll down to the bottom of the page. You can also find out if your password has been compromised by running it through the Pwned Passwords feature on the site.
“Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about,” Hunt wrote on his blog.
Consumers are once again urged to use complex passwords, not reuse passwords, enable two-factor authentication, and consider utilizing a password manager.