Collection #1 Data Breach and Your Site Security

Collection #1 Data Breach and Your Site Security

The emails and passwords of 773 million people have been put up for grabs on the internet. Get the details on how to check if your info has been released and how to protect your website and other online accounts.

About the Data Breach

Microsoft regional director Troy Hunt originally broke the story on Jan 17. 2019.

Because the name of the file with the info is titled Collection #1, that is what he has dubbed the breach.

It is a massive collection of multiple smaller breaches from several hacker sources.

Hunt was alerted to a large file on the popular MEGA cloud storage service containing 87GB of data across 12,000 different files.

Word quickly spread across hacker forums that the data was available for download. It is unknown how many downloads took place before the files were removed.

Hunt discovered that one of his own email/password combos was correctly listed in the file. That despite his password having been “hashed” or encrypted.

The MalwareBytes site reports that much of the leaked data is at least 2 years old.

But, since so many folks rarely update their passwords, much of the data is still useful to hackers.

Check if Your Data Was Listed

Hunt is also the driving force behind the “Have I Been Pwned?’ (HIBP) site and free service that alerts folks if their data has been shared in such data breaches.

Of the 2.2 million folks already registered with that service 768,000 of them were listed in the Collection #1 files.

Check Your Emails

Before you do this check, don’t be shocked if every email address you enter has been pwned.

Go to https://haveibeenpwned.com/ and check every email address you use for online accounts to see if it is listed by the service.

Check Your Passwords

The pwned email database does not list any passwords in conjunction with the emails.

To check any past or current passwords you’ve used, go to https://haveibeenpwned.com/Passwords

If you see any current ones listed, keep in mind that it may not be from this current Collection #1 breach. It could have been from a separate, previous leak. But, that still means that the associated account may be at risk for being hacked or otherwise compromised.

How to Protect Your Online Accounts

Your online security starts with you!!!!

Take these steps to make all of your online accounts more secure.

Use super strong passwords.

Strong Random Passwords is my favorite site to help create a unique password. Set it to 16 characters and check all the boxes to add as much gobbly goop as you can, especially special characters.

Never use the same password twice.

All it takes is one data breach on one account and hackers can access every other account you have with the same info. Create a unique password for every single account, no exceptions.

Use a Password Manager

Forget trying to make passwords that are easy to remember. They are easy to hack too!!!

LastPass is the #1 password manager. It remembers each password and the account it is associated with. It’s free to use on one device and $2/mo to use on multiple devices.

Rotate Your Passwords Annually

All of them. That includes every online account you have every signed up for.

I have over 100 accounts and I rotate 5-10 at a sitting. Takes me less than 15 minutes a pop.

I also have a protected spreadsheet in a digital vault with a list of all of my online accounts. (No passwords are on that sheet.)

Every time I create a new account it gets put on that sheet right that minute.

Start your sheet as you update your passwords. That will save you a lot of time next year.

Never send account info in open email

Never!!!!!!!!!!!!!!!!!!

Google docs is a great way to share account info with support folks. You can complete control the access of who can see the info. And you can send the link to the doc in emails. Even if a man-in-the-middle attack is spying on the data as it travels across the internet, and even if they get the link, they still can’t access the doc.

Change Password After Support Access

If you ever need to share your account with tech support, be sure to change that password after they have finished. You have no idea what they do with those tickets or emails later, or if they are at all secured.

Limit Access on Apps

Check your social media accounts, especially Facebook, for any apps that may have access to your account. Delete as many as you can. And seriously consider whether you really need any of the others.

Limit Logins from Profiles

Yeah, it may be convenient to use your Facebook or Twitter login to access other sites, but now you’ve put both of them at risk. It’s just as easy to use your email or username and let LastPass handle the password part of the login.

Close Online Accounts

If you no longer use it, close it.

Now, that’s no guarantee that they will wipe their system of your info, but you can ask them to before you close the account.

Get Your Whole Site Secured

Site security and performance go hand-in-hand.

Bots are ALWAYS trying to break into sites to steal emails.

Little, unprotected sites are their favorite prey.

And, those can turn into a back door to a whole shared hosting server and then they can attack everyone from within.

Plus, all of those bad bots are chewing up the hosting resources you should be reserving for humans.

That makes your site slow, meaning you lose visitors. It can also cost you more money for extra hosting.

A site audit is THE best way to see everything that is hitting your site (and no, Google Analytics won’t show you the bots).

On average, I find 26 security and performance holes that no plugin scanner finds.

Get those holes plugged!!! Get your site faster!! And make, and save more money.

10 Comments

  1. I haven’t seen this information listed anywhere for Lastpass
    1. Can I see the password for each account (My Blog, cloudflare, etc. so when I have a site audit I am able to share with you?
    2. For multiple device am I able to use two browsers to share passwords between? If I use Chrome will Safari also be able to see that password?

    1. I can’t use LastPass because I log into the same service for so many clients. It gets confused.
      So, you’ll want to maybe try the free version of LastPass to check more deeply into it for one or two of your accounts about those questions, or perhaps others who read this post will know.
      But, I do have clients that use it and they have no trouble accessing PW to give me for audits and such.

  2. Thanks MaAnna. If I can at least know the current password to share with you then O can live with it. Just another thing on ,y list to research and test! LOL. Right now I have them all in a spreadsheet. But Chrome cant sync as they are held in my apple list for Safari.

  3. Thanks for the info. I agree that LastPass is fantastic. I did a lot of research with security and productivity people prior to choosing. We use Lastpass and share across the family and service providers. One cool feature of Lastpass is that you can share a login with a service provider w/o them actually getting the login credentials. They can launch from LastPass and get access, but never have to have your details. When they no longer require access, you just remove the share. I use it on my phone and laptop seamlessly.

      1. Hi Marilyn –
        I use Chrome on my laptop with a LastPass plugin and on Safari on my iPhone. I have a LastPass app on my phone as well. I would guess that it works on Safari on a Mac, but my only experience is on my phone.

        1. Thx Stephanie. I am using safari on both ipad and iphone and it works fine across devicxes. On my ipad I also have chrome installed. I would like to know if the lastpass on my ipad will work in sync between the two. I am looking to have all my passwords show in any browser. Seems ios doesnt like to update chrome too. (I do have them saved on icloud. But they dont like to work well on this issue. ) LOL. I guess I will have to test more.

          1. I use LastPass exclusively to store and secure my login info. I do not save my passwords to the iOS system password stuff or to my Chrome.

            Because LastPass is on the cloud, you can keep devices synced by using the tools that use LastPass as the database.

            For example, on my phone, if I want to log into a site, I go to the LastPass app and select that site. It launches safari and inputs the login requirements.

            On chrome, I go straight to the site. If that site’s credentials are on LastPass, the chrome extention for LastPass will recognize it.

      1. I was giddy when I got it all setup. With my son applying to colleges and me now helping my parents with a lot of their stuff, my logins have grown quite a bit!

        I also love LastPass’s password generator feature. Keeps my stuff secure.

Comments are closed.