‘Collection #1’ Password Breach Aftermath: How to Secure Your Account?

Data leaks and security breaches happen every day, but no one expected something massive as the infamous ‘Collection #1’ leak. More than one billion – 1,160,253,228 email/password pairs to be precise – have been published. In addition to that, 773 million unique emails were also listed for everyone to see.   

A well-known security expert Troy Hunt called it the biggest breach in history. He also created a website called Have I Been Pwned (https://haveibeenpwned.com) for everyone to check their emails. If you are curious, you can do it right now as well. There is a chance that your email has been pwned, maybe even more than once depending on what sites from the ‘Collection #1’ you have visited. This so-called collection combines data from many previous data breaches potentially starting from 2008.

Am I in danger?

It is possible. To be 100% sure, visit Troy’s website and enter your current (or former) email address you are using (or used) as a login for various online services. Your results will appear in a second after clicking the “pwned?” button on the main page. Your email can be a victim of multiple data breaches, or you might be a lucky person who avoided the “largest data leak in history.”

Which passwords are considered to be weak?

If you didn’t leave the Have I Been Pwned website after checking your email, you have probably noticed other interesting things on it. For example, the page where you can check whether your password was compromised or not. In order to check it, you have to type it, yes, but don’t worry as there are no lists with complete login-password pairs. All leaked passwords and account names are separated.

Mister Hunt invented a separate password scanner. Troy’s website is not collecting any information about entered info – it only checks your data with the already existing database of leaked passwords and emails. If you have a simple generic password such as “qwerty,” “password123,” or “computer2,” you will probably see a message saying something like “Oh no — pwned! This password has been seen 1 635 times before,” which is obviously not good. But longer passwords with letters and number are more likely to be unique, and it is possible that there will be no matches. We recommend you change your password if you see the warning that you have been pwned.

What else?

Honestly, we should thank cyber gods that “Collection #1” contained only passwords and email without real addresses, credit card numbers, names, social security info, and other private information. Who knows what could have been if everyone rushed to change credit cards, freeze their credit reports, and so on. In conclusion, we want to remind you that it is important to control your accounts and passwords, especially if one of your accounts has been exposed.

First and foremost, immediately change your password if you have found it in the Have I Been Pwned’s database. Try to use unique passwords for different accounts – yes, it is tempting to use just one password everywhere, but it is leaked, then all your accounts are in danger. If you are already using unique passwords – check them all on https://haveibeenpwned.com. Tools like 1Password will help you with this task. Furthermore, if one of your passwords becomes compromised in a new breach, you will be informed in time. 

Today we really have many accounts for various services and websites, so using password-managing programs is a good idea. Your password is key to your private information, that is why there is no reason to justify the use of weak passwords. Also, these security apps will notify you about new major data leaks. Better safe than sorry.

And, of course, you can do more. Today your password is just a piece of the puzzle if you are using a two-factor authorization. We recommend using this security feature on every website that has it. Even if someone discovers your strong and scary password, they won’t be able to login into your account as you have to approve all new logins (including those from new locations or unknown devices).