There is no shortage of data breaches these days, but this one must make you sit up and pay attention. The newly discovered "Collection # 1" is the largest public data volume in volume with 772,904,991 unique emails and 21,222,975 unique passwords exposed.
The breach was first reported by Troy Hunt, the security researcher who runs the site, I have been pwned (HIBP) where you can check if your email has been compromised in connection with a data breach. In his blog, Hunt says a large file with 12,000 separate files and 87GB data has been uploaded to MEGA, a popular cloud service. Then posted to a popular hacking forum and seems to be a merger of over 2,000 databases. The disturbing thing is that the databases contain "dehashed" passwords, which means that the methods used to encrypt these passwords for unreadable strings have been cracked and fully exposed.
So what does this mean for the average person? According to Hunt it means compromised email and password combinations are more vulnerable to an exercise called credential stuffing. uffing is when breaches of username or email / password combos are used to tick other user accounts. This can affect anyone who has used the same username and password combo across multiple sites. This is because the collection # 1 violation contains almost 2.7 billion combinations. Also, about 140 million e-mails and 10 million passwords from Collection # 1 were new to Hunting's HIBP database, meaning they are not from previously reported megabreaches.
If you are curious about whether your emails and passwords are part of Collection # 1 break, you can check with HIBP. You can also manually search to see which of your passwords have been postponed. I checked, and yes, my personal email was part of the # 1 Breakout collection along with several no longer used passwords. Needless to say, if you can find your password in the HIBP database, change it immediately.
Cruises from Collection No. 1, however, violate the same good security methods as always. Do not reuse passwords, enable two-factor authentication, and if you have been waiting for a password manager, it is now time to bite the ball.