The Collection #1 data breach – what you need to do about it

Don’t panic, but do get more serious about following password best practices.

Graham Cluley
Graham Cluley
@[email protected]

The Collection #1 data breach - what you need to do about it

A huge collection of email addresses and passwords, which can be used in attempts to break into online accounts, has been discovered.

The massive haul of data is most likely being used for “credential stuffing” attacks, where hackers run programs which automatically attempt to break into accounts using a large number of matched username and passwords. If they don’t break in with one username and password combination, the program moves onto the next. And so on…

As Troy Hunt describes, the so-called “Collection #1 data breach” is made up of data stolen from numerous different data breaches. In all there are 1.16 billion unique combinations of email addresses and passwords in the data set, totalling 772,904,991 different unique email addresses.

In short, a lot of us may be affected.

I know, because I’m one of them. I received a number of notifications from Troy’s HaveIBeenPwned alert service earlier today, informing me that email addresses I control had been found in the database, alongside passwords.


HaveIBeenPwned will only tell you that your email address has been found in a data breach. It won’t tell you what password the breached data may have had alongside your email address. (In case you’re curious, there are very good reasons why HaveIBeenPwned doesn’t want to link any passwords to email addresses).

So, what do we have?

We have a notification that email addresses and passwords associated with me have been found on the internet. But because this particular collection of breached data is accumulated from a wide variety of hacked sites, I don’t know which accounts may be at risk.

It would be the type of thing that would be helpful to know, as then I’d know where I might want to consider changing my passwords. It might also provide me with a pointer as to the urgency of the situation – after all, having a password stolen which grants access to a Doctor Who message board is arguably less important than the one I use to file my tax return.

Furthermore, because I haven’t been told what passwords of mine were included in the breached data – I don’t know if the exposed passwords are ones that I used years ago (and may already have changed following a notification of a breach at a specific website), or are passwords that I might reuse on a number of different websites.

Well, actually I *should* know the answer to that last one… If I follow best practices and don’t ever reuse passwords!

Sign up to our free newsletter.
Security news, advice, and tips.

Good password management solutions like 1Password, Dashlane, and LastPass don’t just store your passwords securely. They can also audit your password vault to see whether you have made the mistake of reusing the same password on different accounts.

Reused password

If it does turn out that you are reusing passwords, change them.

If you’ve taken the step of using a password manager then I hope you’re also taking advantage of their ability to generate complex, hard-to-crack, unique passwords rather than using your puny brain to do the job.

Reading this far means there’s a good chance that your information was, like mine, included in the Collection #1 data breach.

Here’s my advice:

  • Don’t panic, have a cup of tea.
  • While the kettle is boiling, get a password manager and start using it. Seriously people, it’s 2019 not 1989.
  • Make sure that you are using different passwords for all of your accounts. When you need a new password get your password manager to choose it for you (they’ll choose some long and complicated gobbledygook that you won’t be able to remember – that’s good! It’s your password manager’s job to remember it, not you)
  • If your password manager includes the ability to check your passwords against a list of passwords that have been seen in past data breaches all the better, otherwise you might choose to check manually.
  • Ensure that as many of your online accounts as possible are protected with two-factor authentication (2FA). It’s not fool-proof, but 2FA and its close cousin 2SV (two-step verification) make it much harder for your account to be hacked, even if bad guys do learn your password.
  • Sign up for the HaveIBeenPwned notification service, so you get a heads-up the next time your details are found in a data breach. If you are responsible for the security of a company, and can verify that you are responsible for its domain, you can also receive notifications related to any associated email addresses.

Take care folks.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.