Security expert Troy Hunt has exposed a the largest publication of breached data in history, affecting over 770 million email addresses and 21 million passwords.
The new finding, called "Collection #1" by Hunt, consists of 2.6 billion rows and is made up of "many different individual data breaches from literally thousands of different sources."
New breach: The "Collection #1" credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4— Have I Been Pwned (@haveibeenpwned) January 16, 2019
The database going back as far as 2008 is a staggering 87GB in size, and comprises 1.1 billion unique combinations of email addresses and passwords - many of which have been "dehashed," or cracked and converted back to plain text.
This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)
The unique email addresses totalled 772,904,991. This is the headline you're seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It's after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of "cleanliness". This number makes it the single largest breach ever to be loaded into HIBP. -Troy Hunt
The collection was dumped on anonymous storage site MEGA before it was posted on a popular hacking forum for anyone to access.
Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image: -Troy Hunt
This is from https://t.co/rDyOtQ84DR a popular cracking fourm and i saw it like 10 days ago on that fourm— Utkarsh Gajera (@Utkarsssh17) January 17, 2019
Not only am I on the list, I also received a phishing email telling me on of the throw away passwords I used together with that email. So at least in my case I know who got hacked... and who will _NOT_ be receiving a bitcoin ;D— Ruben W. (@ruben_we) January 17, 2019
Just received my email. Plain text passwords 😰. I started using @haveibeenpwned and @1Password a while ago because of breaches like this. And so should you. There is @1Password which I recommend, but there are free alt's. Use @haveibeenpwned, you'll see why it's necessary. https://t.co/y2pl7ShWtZ— Rutger Claes (@rutgerclaes) January 17, 2019
Thanks to the breach, it's much easier for bad actors to attempt so-called credential-stuffing attacks in which online platforms are spammed with combinations of emails and passwords in order to gain access.
Fortunately, it doesn't appear that credit card data or social security numbers were part of the publication.
Hunt recommends running your email through his "Have I Been Pwned" breach-notification service, though that's entirely up to you since (with all due respect) we don't know Hunt and while helpful - the site also identifies real people vs. bots.
Read more about "Collection #1" here.