The trove of information – which is being referred to as Collection #1 – contains email addresses and passwords taken from a series of breaches from websites around the internet. It is now readily available, having been published online for conceivably anyone to download.
The scale of the dump is unprecedented: it includes 800 million email addresses and passwords, many of which will have been re-used over the internet. Taken together, it is a powerful set of information for anyone who wants to attack people with it.
Anyone affected by the hack could have the information found within it used against them. And anyone who has used the internet in the last decade could be one of those affected.
But there are some important ways to stay safe against the kind of attacks that malicious internet users might do with the information.
How do I know if I've been hacked?
First it's useful to know whether you're part of the hack, though it is good to be as conscientious and vigilant about how you use the internet whether you were or not.
To find out, head to the website HaveIBeenPwned.com. That website is run by cyber security researcher Troy Hunt, who also happened to bring the new cache of details to the notice of the public, as well as adding them to his collection of affected accounts.
On that site, you can type in any email addresses you own, and the site will tell you not just whether they have been part of a breach but also how many times and from where.
You can also type in specific passwords, allowing you to find out if those have been exposed, too. Most likely they have, if you're not using good password hygiene already, and so if the screen turns red it doesn't mean there's any immediate need to panic.
Once you know whether you have been hit by the new attack or not, it is important to secure your accounts against abuse from this leak or any other in the future.
What might happen to me if my data has been stolen?
The newly leaked information, according to Mr Hunt, came from a database that was created for hackers to use for credential stuffing. That is something like how it sounds: it means stuffing a whole host of different logins into accounts in an automated way, until they get lucky and the account is unlocked, allowing them access to whatever was being secured.
It works because people tend to reuse their email addresses and passwords across a range of different sites. If someone stole your login from one long-forgotten website, then you might still be using the same details now – a forum you've not used in years could allow an attacker into your Facebook account or bank, if you've not changed the password.
So, in theory, you might lose access to your accounts. In practise, it's relatively easy to stop that happening – so long as you take proactive measures.
What should I do?
Most importantly, regularly change your passwords and make sure you are not using them across websites. It can be much easier to keep using the same old password across a variety of sites – but it will be a lot harder when something goes wrong.
There are a variety of services that offer the ability to do this for you, making it much easier to avoid this, called password managers. They are growing in popularity – companies like 1Password have long offered apps for a variety of platforms, and Apple has even built its own password manager into iOS and Safari on the Mac, allowing it to generate and then store your logins away.
Some password managers even offer the ability to see when one of your stored passwords turns up in a breach like this, and easy ways of picking a new one. So it is an investment for the future too.
More about: datadump