Hacker harvest 2021 has begun. According to CyberNews, 3.27 billion unique pairs of emails and passwords were leaked on a popular hacking forum, aggregating past leaks from Netflix, LinkedIn, and other platforms.
The current breach, dubbed “Compilation of Many Breaches'' (COMB), doesn’t appear to be a new breach; rather, as the name suggests, it’s a compilation of multiple breaches. Nonetheless, COMB contains more than double the unique email and password pairs as the Breach Compilation of 2017, in which 1.4 billion credentials ranging from financial data to the personal information of every U.S. voter was pilfered from a collection of 252 previous hacks.
How bad is this? Very.
CyberNews says it’s unclear what previously leaked databases were collected in this breach, but the samples it’s been able to access contained emails and passwords for domains from around the world. The big problem with this leak is that it’s not just a list, but an “interactive database” that allows hackers to search for matches and new breach imports.
“Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover,” Identity intelligence company 4iq said of the situation.
The bottom line is that if users use the same passwords for their LinkedIn or Netflix as they do their Gmail accounts, then attackers might be able to leverage that information on other, possibly more important, accounts. As a reference point, 3 billion pieces of personal data is 10 times larger than the U.S. population, and that could loom big and bad for everyone.
“The impact to consumers and businesses of this new breach may be unprecedented. Because the majority of people reuse their passwords and usernames across multiple accounts, credential stuffing attacks is the biggest threat,” said CyberNews’ Bernard Meyer.
Are you affected?
Unless you were able to lay hands on all the data hacked in COMB, your best bet toward being safe and secure is to search your email address on one of the online threat scanners. Consumers can use the HaveIBeenPwned tool to see if their information is part of any breach, not just the COMB one.
“In any case, users are normally recommended to change their passwords on a regular basis, and to use unique passwords for every account,” Meyer recommended. “Doing so – creating and remembering unique passwords – can be quite challenging, and we recommend users get password managers to help them create strong passwords.”
“I recommend everyone to follow good security practices such as using unique passwords for every service that they sign up to and using two-factor authentication whenever possible,” Jim Scott, a cybersecurity researcher, told ConsumerAffairs. Meyer agreed, saying that multi-factor authentication’s strength comes in handy for more sensitive accounts. “That way, even if an attacker has their username and password, they won’t be able to get into their accounts,” he stated.
Two-/multi-factor authentication is available via an app like Google Authenticator, or settings within a user’s Facebook, Dropbox, Amazon, and other account settings.