You may have read today about the latest data breach to be discovered. Dramatically dubbed “Collection #1,” this one is the largest by volume, with over 770 million unique email addresses and over 21 million unique passwords. The data was collected from several databases a few years ago, but was just uploaded to a popular cloud filesharing service and posted to a popular hacking forum.
What’s the risk?
That lots of hackers are currently using something called “credential stuffing”, trying all of the published email/password combos across every website imaginable to access private accounts and, if they get in, use that access to do bad things.
Is this breach different?
No, it’s just bigger. These happen pretty frequently these days.
How do I know if I’ve been affected?
Search your email addresses (work and personal) at the website Have I Been Pwned?, or any password on their Pwned Passwords page, to see if any you use have been included in this breach or formerly-discovered breaches. Troy Hunt, a security researcher who runs this website, was the one who first published the existence of this breach. For obvious reasons, he doesn’t offer a way to look up email/password combos.
Do we have to do something new?
Our recommendations below are nothing new, though if you or your colleagues haven’t followed them in the past (most people don’t), this is a good excuse.
So what should we do?
- Immediately change any password that has been breached; do this for all personal and work accounts
- Enable multi-factor authentication for all your important accounts; instructions can be found for each system with a little Googling, but we’re happy to help (for your business systems, this may need to be done at the organization level if it isn’t already, so reach out)
- Use a password manager like 1Password, LastPass, Dashlane, etc. and use it to create unique, randomly-generated passwords for every account (never, ever use the same password on more than one site
- Implement Single Sign-On like OneLogin, for business apps, which will prevent any connected apps from even storing your password in their system
- Set up notifications to make sure you find out whenever your email address was included in a new breach (several sites offer this, including many password managers and have i been pwned?)
- Sign up for Managed IT Services – If your business is rapidly growing and has yet to put a concrete plan in place for IT Security, Disaster Recovery or Business Continuity, managed services can help your firm proactively reduce exposure to these types of issues using a strategic and systematic approach.
- Consider Cyber Liability Insurance – it protects your business against the expenses associated with a data breach. We’ll help you evaluate the data liability risks your business faces and find you a policy that meets your specific needs.
The trick with all this is that very few people take the time to do all these things, and if you don’t, the chances keep increasing that you will have your private data or identity stolen. This is a good time to take this seriously and make sure everyone in your company does, too.
We continue to beat the drum on information & data security because it’s at the root of reducing your risks. These breaches can impact you both as an individual and as a business. We’d be happy to chat through any concerns you might have in better protecting yourself in the future.
Shared with thanks from Kinetix.
