Blocking compromised passwords from the Collection leak


It all started with Collection #1, a monster breach dubbed as the biggest data dump in history with its 773 million unique email addresses, and 22 million unique passwords. The exposed data was a compilation of previous thefts (Yahoo, Linked, Dropbox), with 140 million email addresses, and 10 million passwords from previously unknown sources. Next came Collection #2-5 with three times as many unique records. The new Collection leak contains 2.2 billion unique usernames, and passwords.

How does the Collection leak put your organization at risk?

Unlike previous breaches, where the data was sold on the dark web for thousands of dollars, the Collection credentials are available for free download on torrent sites. Since the leaked passwords are dehashed and converted back to plain text, even unskilled hackers can break into user accounts by manually testing a leaked username and password on any site. In a credential stuffing attack, preferred by more sophisticated hackers, a botnet is used to automate the injection of credentials stolen from one source to access other online services. These attacks are often successful if the same password is used across multiple sites and services.

Read more…