Collection #1 hack: How to know if you have been exposed and what to do if you are

The effects of the world's biggest data breach are likely to be felt for years

Andrew Griffin
Thursday 17 January 2019 12:35 EST
Comments
Huge data breach reveals hundreds of millions of emails and passwords from across the internet

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The world's biggest data dump has just hit the internet. And somewhere among the nearly a billion logins might well be yours.

The trove of information – which is being referred to as Collection #1 – contains email addresses and passwords taken from a series of breaches from websites around the internet. It is now readily available, having been published online for conceivably anyone to download.

The scale of the dump is unprecedented: it includes 800 million email addresses and passwords, many of which will have been re-used over the internet. Taken together, it is a powerful set of information for anyone who wants to attack people with it.

Anyone affected by the hack could have the information found within it used against them. And anyone who has used the internet in the last decade could be one of those affected.

But there are some important ways to stay safe against the kind of attacks that malicious internet users might do with the information.

How do I know if I've been hacked?

First it's useful to know whether you're part of the hack, though it is good to be as conscientious and vigilant about how you use the internet whether you were or not.

To find out, head to the website HaveIBeenPwned.com. That website is run by cyber security researcher Troy Hunt, who also happened to bring the new cache of details to the notice of the public, as well as adding them to his collection of affected accounts.

On that site, you can type in any email addresses you own, and the site will tell you not just whether they have been part of a breach but also how many times and from where.

You can also type in specific passwords, allowing you to find out if those have been exposed, too. Most likely they have, if you're not using good password hygiene already, and so if the screen turns red it doesn't mean there's any immediate need to panic.

Once you know whether you have been hit by the new attack or not, it is important to secure your accounts against abuse from this leak or any other in the future.

What might happen to me if my data has been stolen?

The newly leaked information, according to Mr Hunt, came from a database that was created for hackers to use for credential stuffing. That is something like how it sounds: it means stuffing a whole host of different logins into accounts in an automated way, until they get lucky and the account is unlocked, allowing them access to whatever was being secured.

It works because people tend to reuse their email addresses and passwords across a range of different sites. If someone stole your login from one long-forgotten website, then you might still be using the same details now – a forum you've not used in years could allow an attacker into your Facebook account or bank, if you've not changed the password.

So, in theory, you might lose access to your accounts. In practise, it's relatively easy to stop that happening – so long as you take proactive measures.

What should I do?

Most importantly, regularly change your passwords and make sure you are not using them across websites. It can be much easier to keep using the same old password across a variety of sites – but it will be a lot harder when something goes wrong.

There are a variety of services that offer the ability to do this for you, making it much easier to avoid this, called password managers. They are growing in popularity – companies like 1Password have long offered apps for a variety of platforms, and Apple has even built its own password manager into iOS and Safari on the Mac, allowing it to generate and then store your logins away.

Some password managers even offer the ability to see when one of your stored passwords turns up in a breach like this, and easy ways of picking a new one. So it is an investment for the future too.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in