Chances are you have been breached and your password has already been sold on the dark web!
If you haven’t heard about one of the largest illegal collections of username and password information in history, please read on. What I am about to explain will almost certainly have an impact on you and your colleagues / employees.
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
The MyFitnessPal example is one of many data breaches that have contributed to a list called “Collection #1” a term coined by well known Blogger for Pluralsight, Troy Hunt. The list itself has subsequently been taken down, however it was available for sale on the dark web for a number of weeks and is likely in the hands of people that will exploit the information. It's just a matter of when, if not already.
About "Collection #1
"Collection #1" is a database of sets of email addresses and passwords discovered by security researchers in January 2019. Tony Hunt (founder of the website "Have I been Pwned?") was directed to a known hackers forum where the 2.7 billion pairs of emails/passwords were available for download.
Some of the data had already been sold in previous releases, but around 20% of the 773 million unique passwords and addresses were from new breaches, making it the largest data breach on the Internet.
So, what can you do?
- First check to see whether you’ve been breached. You can do this by visiting https://haveibeenpwned.com/ and subscribing to their notification service.
- Change all of your passwords especially ones you have not changed in the last 3 months and definitely ones you’ve never changed. Maintain this practice regularly across all platforms. Good password hygiene is one of the ways to avoid having your life ruined by being the subject of identity theft. It may be annoying to change your passwords every 45-90 days, but the alternative is not worth entertaining.
If you've used a password before, check it on Troy Hunt's "pwned passwords" sub-site as it may already be a known password to hackers and are used for direct login attempts or for password spraying.
- Avoid providing your personal (identifiable) details to companies providing free services. This includes your Date of Birth, Home Address, Mobile Number or any other information that combined would be able to specifically identify you. At the end of the day if it's free there will be a compromise involved. Usually that compromise involves giving up some of your privacy, or if there is a breach of security it can mean a risk to your online identity.
- Use multi-factor authentication. Having just one form of authentication (a password) leaves you vulnerable should your username/password pairs be exposed from these breaches. Using two-factor authentication (2FA) or even more forms of multi-factor authentication (MFA) significantly improves your protection from having malicious attacks using your leaked credentials.
2FA systems often use a mobile phone application, send an SMS to the registered mobile phone number, or utilise a 3rd-party system such as a random key fob carried by the user.
Talk to our Technology Consulting Manager
If you would like to talk a more about how Diamond IT can protect your employees and your organisation from threats like this, please give us a call on 1300 307 907 or contact us via the form below.