An internet security researcher, Troy Hunt, has recently highlighted that a total of 772,904,991 unique email addresses have been exposed. This large collection was even nicknamed “Collection 1” by Hunt. Originally consisting of email addresses and passwords totalling 2,692,818,238 rows, it has been making rounds through a popular cloud service called MEGA (data has already been removed). The original set of data was then refined by filtering out possible duplicates by applying different techniques.
New breach: The “Collection #1” credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
How to check if your email address has been compromised?
Simply head over to https://haveibeenpwned.com and enter your email address. This site helps you to perform a search and displays the list (if any) of breaches that you were “pwned” in. If you are uncomfortable keying in your email address into this site, just make sure to follow the tips below to stay safe.
What should you do?
If you find that your email address is included in any of these lists, we strongly suggest you immediately change your passwords for all online accounts associated with that email. If not, hackers could make use of the stolen data to hijack your online accounts. In fact, most of us use the same password for all our other accounts – so you know what that means.
Even if your email address isn’t inside any of those lists, you should not let your guard down. Always be careful on which site you are signing into with your account. There has been a rise in phishing sites targetting Singaporeans with fake DBS/POSB websites. In reality, these sites actually record the username and passwords that you entered and immediately attempts to hijack your account.
Some tips to stay safe
- Use 2FA (Two Factor Authentication) whenever dealing with sensitive data. An OTP (one-time password) is usually sent to you upon login. This prevents someone else who might have knowledge of your password from logging in. A word of caution: Never share this OTP with anyone even your family/friends. There have been occasions where WhatsApp accounts have been hijacked and hackers impersonate someone close to you. This “friend” then message you asking for this OTP password which you receive on your phone. If you share the OTP with that “friend”, your WhatsApp account gets hijacked as well. This vicious cycle carries on to everyone else in your contacts.
- Use a Password Manager (e.g. 1Password, LastPass, etc.) to help you generate unique and strong passwords for each online account. You won’t have to remember the passwords as these Password Managers have mobile applications allow you to sync them across your devices.
- Always check the URL of the website you are on especially when signing in to an account. It must have a secured HTTPS connection and a correctly spelt URL. We cannot emphasize this enough!
- Always check where your emails come from. There are emails claiming to be from your bank notifying you that your account has been “locked” and immediate action must be taken. It usually directs you to a fake website that steals your login info. If you are uncertain, contact the bank via phone directly.