Why Collection no 1 Still Matters

In mid-December 2019, over 770 million email addresses and passwords were posted to a popular hacking forum. Known as Collection no 1, it is one of the largest collections of breached data in history. 

Although it’s been a few years since Collection no 1 made news headlines, it still matters. 

The reason why is that most people never change their passwords after a breach. This means that the passwords that were exposed in Collection no 1 are more than likely still being used by millions of Americans today, and you may be one of them. 

Here’s what you need to know. 

What is Collection no 1?

Collection no 1 was discovered by security researcher Troy Hunt, who runs a breach-notification service Have I Been Pwned. Rather than a single hack of a very large service, this breach comes from around 2,000 databases.

What is most scary is that the passwords released were “dehashed.”  In other words, the methods used to scramble those passwords into unreadable strings have been cracked, leaving them fully exposed.

Who is Responsible for the Breach?

According to Security reporter Brian Krebs, Collection no 1 is just a single offering from a seller who claims to have at least six more batches of data. The identity of this seller remains unknown. 

Since the data was being advertised and discussed on a criminal forum, in theory, almost anyone visiting that source has access to it.

Who is a Victim?

According to Hunt, the list contains about 1,160,253,228 unique combinations of email addresses and passwords,” and “21,222,975 unique passwords”. 

About 82% of the email addresses have appeared in previous breaches shared among hackers, but about 140 million email addresses have not been seen before.

Why Does Collection no 1 Matter Today?

Study after study shows that most people don’t bother changing their passwords after a breach happens. Or, if they do, their new passwords are very similar to those that were breached, making it easy for cybercriminals to guess. 

Users also typically continue to use exposed passwords across other online accounts. So even if they change their password for the compromised account, cybercriminals can still use that same password to breach other accounts.

In one survey, more than 6 in 10 people were found to use the same password that was compromised in a breach to secure other accounts. 

In 2019, Sergey Lozhkin, a security expert at Kaspersky Lab, said of Collection no 1, “This collection can be easily be turned into a single list of emails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working.” 

From there, it’s easy for attackers to do a lot of damage. According to Lozhkin, “The consequences of account access can range from very productive phishing, as criminals can automatically send malicious emails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.”

Were You Affected?

You can check if your email address was compromised at Have I Been Pwned.

More than likely, it has. 

As Hunt said in 2019, “If you’re one of those people who think it won’t happen to you, then it probably already has.” Even if you’ve signed up for a harmless forum years ago that you’ve long since forgotten about, your email and password could be compromised.

How Can You Stay Safe from Credential Stuffing?

Credential stuffing attacks are possible because so many people reuse the same password for many different accounts.

Consequently, it’s critical that you use strong, unique passwords for all your accounts. 

But be warned: personal information does not equal “unique.” Your birthday, spouse’s name, or the street you grew up in does not make for a strong password. This kind of personal information is widely available on the web via sources like social media accounts and data broker websites, which means that cybercriminals can easily guess your passwords. 

Consequently, make sure to opt out of data broker sites. Even if your passwords are unique, criminals can still use data broker databases to trick you into handing your credentials over. Read more about data brokers in our ultimate guide.