Protecting your organization from the “Collection #1” leak

The latest addition to Specops Password Policy includes more than 21 million passwords from a collection of data breach files originally found on MEGA, a cloud service. The files have since been removed from MEGA, but not before cyber security expert Troy Hunt extracted the data he calls “Collection #1”. The data has since been added to Have I Been Pwned, a free service that allows people to check to see if their accounts have been compromised in a data breach.

The Collection #1 data set includes more than 1 billion unique combinations of email addresses and passwords. The data is not from just one alleged data breach, but more than 2,000 dehashed databases. These data breaches are alleged as of now, since it would be a time consuming process to verify so many potential breaches. Troy Hunt writes in his blog that he did see his own personal data (email and old password) in the data set, which is one reason that he chose to update the Have I Been Pwned service with the new data. More than 21 million passwords have been added to Specops’ password list service due to the addition of Collection #1.

Specops offers a hosted service with a continuously updated list of previously leaked passwords. The service works together with Specops Password Policy so that companies and organizations can block all passwords found on the password list. The service blocks people from choosing banned passwords and informs as to why they cannot use the password.

The Specops password list currently contains 1,094,124,240 passwords, making it a comprehensive blocking service for any organization wanting to eliminate weak passwords or meet compliance requirements such as NIST and NCSC.

Major data breaches should be a reminder to everyone to stop reusing password between services, avoid simple or short passwords, and enable multi-factor authentication when possible.