Cybersecurity

Collection#1, a.k.a the biggest security breach in history

29/01/19 5 min. read

If you are reading this article is because you are aware of the biggest security breach in history: Collection#1, in which nearly 773 million of email accounts along with their passwords (21 million) have been leaked. That is, almost 40 people use the same access code as you.

Experts had been warning us from some time now that this might actually happen. So far, no one knows who the author of the data leaked and published in MEGA is, but the truth is that this situation results from the aggregation of previous leakages.

How to check if your data has been leaked in Collection#1

To check whether your data has been leaked, we have at our disposal a website created by cybersecurity expert Troy Hunt which allows us to test if our email account has been at some point exposed to these kind of leakages.
The website’s name is Have I been pwned? Click on the button below to check whether your email data have been leaked.


In this image you can see that my private email address has been also leaked at some point.

collection#1 security data breach


To be more precise, in three exact moments, including Collection#1:

times my email has been hacked

Oh no – pwned!


Does this mean that my actual password is on that list? Maybe. Or maybe not. It is possible that the data leaked is old and that should not concern us. Remember that #Collection1 is the aggregate of previous leakages.


My email address is in #Collection1. What do I do now?

Because we do not know if the data leaked is updated, the first thing I advise you to do is to change your password.

Mainly in the websites that have private or financial data (email, social networks, web sites like eBay, Amazon, etc.), prioritizing the latter (such as credit cards or bank accounts) and especially the ones in which you may have had your password reused.

The norm after this kind of data breach, where your email account is compromised, is that you start receiving suspicious mails trying to phish you: strange and unexpected mails from unknowns or family and friends trying to reach you in a shady way.

1. Make sure you choose a strong password

Don’t use your birth date, nor your ID number, name or surname on it. Make sure you mix letters, numbers and non-alphanumeric characters. Something like IReallyLikeToPlayFootball_11 would be strong enough to pass the test.

Change your passwords often, do not use the same ones in different sites, since this is what bad guys profit from in order to hack your Gmail account or via key filtration in LinkedIn, for example.

2. Use a password manager

And some final advice: use a password manager like LastPass or OnePassword. These managers allow you to store all of your passwords safely in all your devices, as well as generating complex passwords. Plus, they also notify you in case one of them has been compromised. To access these managers you need to have a sole password that is encrypted multiple times and that is impossible to hack.

How can I increase the protection?

If you have a Gmail account, you can activate the authentication in 2 steps (2FA). In that way, even if you password has been “robbed”, the cracker (bad hacker) won’t be able to log into your account unless they have your phone in their hands.

The 2-step verification works in the following way: when you try to log into the email account from a device/browser that has not been previously recognized, you will see this:

verificacion google

At the same time, you will receive a message from Google to the phone number you have associated with the account to confirm that you are the one trying to log in:

verificacion dos pasos google mensaje


If you receive this message and you are not trying to log into your email account at that specific moment, someone else has stolen your credentials 🙁

Setting Google’s type of security notices

With Google you can set the type of notices you receive and restrict the access to your mail account from certain webs/browsers that were previously authorized:

configurar avisos seguridad google


You can broaden the ways in which you can protect your account and reclaim it, had it been stolen:

verificar identidad correo google

Protecting your enterprise


It is very important for you to understand that you must never ever use your corporate email account to register in third parties’ websites unless it is strictly necessary. In the case you had your email account compromised you would put the entity at risk and damage their reputation.

joan rodriguez

Joan Rodríguez

Santander Global Tech

I am a superior computing engineer and I have had the great chance of working in all waterfall or agile development profiles: Developer, SW Architect, SW Evangelist, Scrum Master, Project Manager, Team Leader, QA Tester and Product Owner. I consider myself to be restless, resilient, geek and mostly, family-oriented. Currently, I am making cybersecurity developments for Group Santander.

 

Other posts