By Kari Paul, MarketWatch
If you haven’t changed your password after one of the countless data breaches over the past few years, the time is now.
Nearly 773 million records, including email addresses and passwords were exposed in a series of data breaches publicized by security researcher Troy Hunt and independently verified by security researchers at Krebs on Security .
Hunt said this large collection of files , which could be the largest data trove yet to be made public, were collected from a number of breaches in recent years and uploaded to popular cloud service MEGA. That platform has since removed the data, which was promoted on popular hacking forums.
The list is likely not comprised of new hacks but is a collection of emails that have been exposed in recent years.
The collection of files includes log-in credentials from more than 2,000 websites. The records were viewable to anyone with an internet connection. Troy Hunt, a web security consultant and Australian regional director for Microsoft security /zigman2/quotes/207732364/composite MSFT +0.70% , said he verified the online data. (Regional directors are described by Microsoft as “trusted advisers to the developer and IT professional audiences and Microsoft.”)
“The unique email addresses totalled 772,904,991,” Hunt wrote on his website . Hunt said his own data appeared in the giant trove of stolen emails and passwords, despite his intensive security practices as a privacy professional.
Consumers can check if their emails are included using Hunt’s website HaveIBeenPwned.com . Hunt said he does not log any data on his website when you visit and that it’s not used to harvest email addresses, but “a free service for people to assess risk in relation to their account being caught up in a breach.”
Lorenzo Franceschi-Bicchierai, a technology writer at Motherboard, said Hunt’s data trove is a collection of several old data breaches and, as such, said there’s no cause for alarm.
“In fact, of the 773 million unique emails in this collection, only 141 million (around 18%) were not included in Have I Been Pwned, Hunt’s invaluable resource of hacked data. And of the 22 million passwords, half were not in the database,” he wrote.
“Millions of passwords get dumped online pretty often,” Franceschi-Bicchierai added. “In 2016, for example, we revealed that hackers were trading 427 million MySpace passwords, and 117 million LinkedIn passwords.”
Breaches are often used for “data-stuffing attacks,” in which hackers use bots to automatically test millions of emails and password combinations across many website login pages until they gain access. This means if you use the same password across different websites, you could be at risk of being compromised, even at sites that weren’t hacked.
‘While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic.’
—Rami Essaid, co-founder of the bot mitigation company Distil Networks
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” said Rami Essaid, co-founder of the bot mitigation company Distil Networks. “While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”
This latest data dump is yet another reminder that the best way to protect your privacy is to use a password manager and two-factor authentication, said Bill Evans, a vice president at California security firm One Identity.
He added that businesses have no excuse not to offer two-factor authentication, which requires users to input a code sent to their phone or email for log in, adding an extra layer of security. “For individuals, if your bank offers it, enable it,” he said. “If your bank does not offer it, change banks.”
You can check whether your bank and any other website you use offers two-factor authentication at 2FA . Evans also suggested all individuals start using a password manager. Services include LastPass , 1Password , or Dashlane . If you already use one of these services, consider changing all the passwords stored in it because they could have been exposed in this latest breach.
Some managers, like LastPass, allow users to do this easily through a feature called “auto change.” Hunt noted that anyone who doesn’t trust a digital manager should at least consider physically writing down passwords in a notebook — anything is better than using the same password across multiple websites.
“The real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible,” he wrote .