Data Protection Academy » Data Protection News » Collection #1 Hack - What you have to do now

Collection #1 Hack - What You Need To Do Now

Collection #1 Hack - What you have to do now

In recent days, 773 million email addresses and 21 million different passwords for online services used worldwide have surfaced in underground forums on the Darknet. According to experts, the list of stolen user information is structured in such a way that it is ideal for the realisation of the hacker attack "credential stuffing" (fill in login details) are suitable.

In this article you will learn what you need to do now.

Background

With credential stuffing, the attacker attempts to gain access to a web service via an automated process. To do this, they use a software program to feed the login mechanism of various web services with e-mail and password combinations from a large user name/password list.

Collection #1 is a data source that contains many such lists. It contains almost 2.7 billion username-password combinations. Attackers could use them to hijack and control massive numbers of accounts from online web services.

This is particularly successful because many users the same combinations of mail addresses and passwords for different services. They may therefore become victims of random hits from the Credential Stuffing attack.

To ensure that your accounts are protected, or rather not affected, please take the following steps:

1. check whether you are affected by Collection #1

Check on the online service "Pwnd passwords" whether you are affected. To do this, enter your e-mail address used as your user name in the web service. You will then be informed whether this e-mail address is included in Collection #1 or similar lists.

Don't worry: this service is operated by security researchers and is safe!

2. Change the password

Change the passwords of all affected online services where you use a corrupted mail address as login name. It is best to change the passwords of all other services you use regularly or which contain sensitive data.

To change the passwords, you usually log in to the respective online service. There you can change your password in Account Settings.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

3. Use secure passwords

Use secure passwords for this and from now on. A secure password should be as long as possible. Security researchers recommend a length of at least 12 characters.

Strings of characters within the password should not appear in dictionaries. Ideally, your password should consist of upper and lower case letters and numbers and, if necessary, 1-2 special characters.

You can create a secure password using the so-called Mnemonic rule. To do this, think of a sentence and create the password by combining letters within that sentence.

An example of a mnemonic could look as follows:

I would like to make my online accounts more secure in the near future and use a secure password for each account!

If you use the first letter of each word to create the 23-digit password, it would be as follows:

IwlTmmoamsitNfauaSpfea!

This password is secure according to state of the art technology and the is based on the recommendations of the security experts of NIST (National Institute for Standardization, USA), which develop such recommendations with worldwide validity.

4. Create and remember passwords more easily - use digital tools

It is clear that the mnemonic rule is catchy, but for the multitude of online services used today it is very difficult to apply. For this reason, it is advisable to use digital tools to manage passwords.

The free and from the BSI (German Federal Office for Information Security) recommended tool Keepass. Keepass is available for Windows, Mac OS, Linux, iOS and Android.

Keepass can generate secure passwords for you. These can then be stored together with the user name of an online service in a secure password vault in Keepass.

In future, log in to a web service, simply copy the username and password from Keepass and use these data to login.

To secure the password vault, you then need a very secure password. Create this with a long record based on the above mnemonic rule. Write down this password - and possibly other very important passwords - on a piece of paper and store it, for example in a safe.

Tip: you can also store PIN numbers of your bank cards and other sensitive information in Keepass. Use this opportunity to protect your sensitive data!

What do we learn from the Collection #1 Hack?

It has again been confirmed that absolute security does not exist. Hackers are as active as ever and every online service is potentially at risk of being hacked.

Nevertheless, it also depends on us to protect our own accounts and data as well as possible against attacks. The following points can guide us in this:

  • Choose online services you use carefully. For example, to test a service, use Disposable e-mail addresses  that they only use once.
  • Ideally, use a unique combination of user name and password for each online service
  • Change your passwords regularly. Use a password vault to manage the multitude of secure passwords, such as Keepass
  • If possible use the 2-factor authentication to protect your online account
  • Protect your children online by creating an email address for them that does not reveal their identity.

Providers of online services will also face enormous challenges in the future to ensure the security of customer data.

Fundamental safety deficiencies as in the case of Cuddles.com must be avoided. There is a need for further standards that regulate the security of online services in a binding manner across all sectors in the future.

Nadine Porrmann
Latest posts by Nadine Porrmann (see all)

This might interest you too:

IT security incident

TISAX requirements: Prepare certification step by step

TISAX® requirements: Information on the question catalogue, maturity levels and certification. Prepare the assessment level and audit.
IT security incident

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.

ISMS: definition, implementation, standards

All information on the information security management system: delimitation of DPMS, notes on implementation, norms and standards