Data Breach

Concerning, Not Catastrophic: How to Handle the Collection 1 Data Breach

On January 17, news broke about one of the biggest data breaches in history: 772 million unique email addresses and 21 million unique passwords were leaked online. Dubbed "Collection 1" by security researcher Troy Hunt, who first discovered and reported the breach, the files were uploaded to a popular cloud service called MEGA and up for grabs to anyone with an internet connection. They have since been removed from the site.

What Should I Do to Protect Myself?

First, take a deep breath. It's always important to protect your identity, but there are concrete steps you can take to mitigate harm in a situation like this one.

1. Check Whether Your Data Has Been Compromised

Hunt offers a free service to find out whether your personal data was part of a breach. You can check whether your email address has been compromised at Have I Been Pwned, while you can see whether your passwords have been exposed at Pwned Passwords. If your information appears in either of these databases, it's important that you change your passwords.

2. Create Unique Passwords for Every Login

Even if your data has not been exposed, the most important thing you can do to protect yourself is to ensure that you never reuse passwords across multiple sites and logins. It may be tempting to recycle passwords for convenience, but it makes identity theft a lot easier for hackers. See Experian's guide to secure passwords here.

"People take lists like these that contain our email addresses and passwords [and] attempt to see where else they work," says Hunt. "The real risk posed by incidents like this is password reuse, and you need to avoid that to the fullest extent possible."

3. Use a Password Manager

It's tough to come up with a unique password for each site when, in this day and age, you likely have dozens, if not hundreds, of accounts to manage. That's why a password manager like LastPass or 1Password is indispensable. These services create secure, hard-to-crack passwords for each of your logins and store them within a secure vault. You only need to remember one master password to access them.

If you can't use a password manager, go old school all the way—write them down in a notebook.

"It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web," says Hunt.

4. Enable Two-Factor Authentication

To truly safeguard your accounts, two-factor authentication is a must. This security feature requires a unique code sent by a text message, call or email to log into your account after entering your password. That way, even if someone obtains your password, they can't log into your account without the code.

Most accounts today require you to actively enable two-factor authentication. Make sure you do it at least for your most important account—your email address. If a thief can access your email address and password, they are likely able to access all your other accounts and change passwords. Enable two-factor authentication on your financial services accounts, as well.

5. Watch out for Phishing Scams

Even though some of the data in the Collection 1 breach is stale, identity thieves may be tempted to use it to coax people out of other information through phishing scams. That's when fraudsters use information about you, such as your name or email address, to get you to divulge other personal data through email or text, or install malware onto your phone or computer. Never click on links in email or text asking you to divulge personal information.

Monitor Your Identity to Keep It Safe

Finally, if you're concerned your personally identifiable information was exposed, you should check your free Experian credit report for errors or suspicious accounts. Run a free dark web scan as well to find out whether information like your Social Security number, phone number or email addresses are on the dark web.

Remember, the initial fraud alerts mentioned above do not block access to your credit reports. One way to do that is to freeze your credit reports, a free measure that prevents lenders from issuing new credit in your name altogether.

Another way is through Experian CreditLock, a benefit offered by Experian's CreditWorksSM and IdentityWorksSM products, which:

  • Allows you to easily lock or unlock your report in real time, with no waiting period.
  • Provides daily monitoring of your credit file, which means you will be alerted about any key changes, including new account openings.
  • Provides up to $1 million in identity theft insurance: If you become a victim of identity theft, you can be covered for the unreimbursed costs of restoring your identity, like fraudulent electronic fund transfers, lost wages, legal fees, and travel expenses.
  • Gives you access to your Experian credit report and FICO® Score* , along with all the other benefits of Experian membership, such as dark web monitoring, which lets you know if your information is found on the dark web.