While the Collection 1 data dump – a whopping 773 million unique emails – dazzled with its size, it also underscored the need to shift away from reliance on passwords and renewed calls for investments in more up-to-date and reliable security.
“The sheer size and almost certain impacts of “Collection 1” are historic, but unfortunately not surprising,” said Uniken CEO Bimal Gandhi, who noted that Albert Einstein’s wisdom, “the definition of insanity is doing the same thing over and over again, but expecting different results” applies to the security landscape.
“The continued reliance on outdated security methods such as using PII in authentication certainly fits that definition, given the proliferation of stolen and leaked PII now available on the dark web,” said Gandhi. “These 700+ million email addresses and millions of passwords – many unhashed – will inevitably be used in credential stuffing attacks that greatly harm both consumers and the financial/merchant/payments ecosystem for years to come.”
Adam Brown, manager of security solutions at Synopsis, recounted his own alarm after Security Researcher Troy Hunt revealed the Collection 1 breach. “I first saw this in the small hours and knowing what I know about security and how information is used in credential stuffing attacks I was unable to sleep until I’d checked my own credentials,” said Brown, who tapped into Hunt’s havibeenpwned.com site.
As vast as it is, the Collection 1 dataset is a microcosm of a larger sea of exposed data.
“As shocking as all this news may sound, these types of dumps are far more regular than most people would think. However, many so-called “new” dumps often contain old data seen in previous breaches so even though the numbers sound scary often the volume of actual new data is significantly lower,” said CEO of Authlogics, Steven Hope, CEO of Authlogics, whose analysts have found subsequent “new” data dumps, dubbed Collections #-#5, that total more than 784 GB, or nine times that data found in Collection #1.