A recently revealed collection of hundreds of millions of emails and passwords is being hailed as the largest data breach ever.
In a story first reported Wednesday, security researcher Troy Hunt announced that nearly 773 million unique emails and more than 21 million unique passwords had been exposed.
The seemingly unprecedented exposure, dubbed “Collection #1,” led to breathless headlines about the scale of the data. But a quick glance at Hunt’s own analysis reveals the issue to not be quite as serious as many believe.
While people may have the impression that all the credentials were obtained in a single mega-breach, the data is merely a collection of emails and passwords gathered from numerous previously known breaches.
Hunt, who runs the service “Have I Been Pwned” that allows anyone to check if their email has shown up in public breaches, even notes that more than 80 percent of the emails in Collection #1 were already known by his site.
As noted by Motherboard’s Lorenzo Franceschi-Bicchierai, “of the 22 million passwords, half were not in the database” as well.
Brian Krebs, a security expert and bestselling author, spoke with Sanixer, the hacker selling the Collection #1 data, and was told that the content was several years old.
“Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest’ offering,” Krebs writes. “Rather, he sort of steered me away from that archive, suggested that—unlike most of his other wares—Collection #1 was at least two to three years old.”
Still, the latest breach news should remind everyone to check their digital security hygiene.
Simple steps such as obtaining a password manager and making sure to create a strong and unique password for every service you use can help minimize the damage from data breaches. Setting up two-factor authentication can also protect you even if your password is compromised.