My data was leaked in Collection #1. What should I do?

January 17, 2019

Today privacy and security expert Troy Hunt published a blogpost regarding the so called Collection #1 — a large database containing more than 700 million unique e-mail addresses and more than 1,1 billion unique login-password pairs that surfaced on the Internet recently. Here we explain how to check if that affects you, and what can you do about it.

Leaks and breaches happen — quite often, and sometimes those are big leaks and breaches. Malefactors collect the leaked information, creating databases with logins and passwords. Some of them try to add information from every leak to these databases, and that effort results in the creation of gigantic databases such as the one dubbed Collection #1, which has been analyzed by Troy Hunt.

That is not just one monster leak (like the one that happened to Yahoo! with billions of users’ credentials stolen) this is instead, a collection that compiles information from more than 2000 different leaks, some of them dating back to as far as 2008, while some are more recent.

Surprisingly, Collection #1 does not seem to include logins and passwords from well-known leaks such as LinkedIn leak that happened back in 2012 and both Yahoo breaches (here’s our post about Yahoo breach #1, here’s another about breach #2).

How to find out if I am affected by Collection #1?

To know if any of your credentials are on the database you can use haveibeenpwned.com. Type-in the e-mail address that your accounts are associated with — and you will be able to see if that address was included in any of the leaked databases that haveibeenpwned.com is aware of.

If your e-mail was a part of the Collection #1 — there will be an entry about that in haveibeenpwned. If it’s not there — you’re lucky, and there’s nothing you need to do about this situation. But if it is there, that’s where the tricky part begins.

What should I do about my account being mentioned in Collection #1 database?

If your e-mail is there, it’s certainly a signal that you have to do something. However, the service won’t tell you which of your accounts tied to this e-mail was breached. Was it an account on a cryptocurrency forum, or an online library account, or a cat-lovers-community account? With that said, there are two options now, depending on what whether you have been using a single password on multiple services or not.

Option 1: you were using one password for multiple accounts associated with this e-mail address. Then life’s going to be hard, because to ensure safety you’ll have to go through all of these accounts and change passwords for each and every one. Don’t forget that those passwords have to be long and unique. I think that, since you’re used to remembering just one password, trying to memorize a bunch of new ones would be next to impossible, so it’s probably a good idea to use a password manager.

Option 2: you were using unique passwords for accounts associated with this e-mail address. Good news, it’s going to be somewhat easier then. Of course, you can also change all your passwords — but there’s no need to do that. You can also try to find which of your passwords was exposed using another feature of haveibeenpwned called Pwned Passwords.

There you can type in a password for one of your accounts and see if it was mentioned in the haveibeenpwned database of leaked passwords — either in plain text or as a hash. If you see that this or that password has surfaced on haveibeenpwned at least once, you’d better change it. If not, then it’s safe. Then proceed to another password.

Of course, doing that means trusting haveibeenpwned, and most people have absolutely no reason to do that. That’s why you can also paste there a SHA-1 hash of your password — and that’ll give you the very same result as pasting the password itself. There are several online resources that make SHA-1 hashes for whatever information you feed to them (here, I googled them for you). That way you do not expose your password to haveibeenpwned, so there’re no additional reasons to feel paranoid.

General advice on how to stay safe and mostly unaffected by data breaches

We have seen numerous leaks over the past few years, and it’s safe to assume that a lot more are going to happen in the future. That’s why new large databases such as Collection #1 will keep appearing from time to time, and malefactors will gladly use them to try breaking into people’s accounts. To minimize the chances of being impacted by such breaches, I recommend you do the following:

  • Use long and unique passwords for each and every account. That way if a service is breached, you’ll need to change just one password.
  • Enable two-factor authentication wherever it is possible. It will not allow hackers into your account even if they managed to obtain your login and password.
  • Use security solutions such as Kaspersky Security Cloud that can warn you about recent breaches.
  • Use a password manager that can help you create many unique and strong passwords with no need to memorize them. Password managers can also help change the passwords faster whenever you need it. Kaspersky Password Manager handles both of this tasks efficiently.