Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

773 Million Records Amassed in Massive Data Breach Collection

A newly discovered set of compromised login details contains roughly 773 million email addresses, Australian web security expert Troy Hunt reveals.

A newly discovered set of compromised login details contains roughly 773 million email addresses, Australian web security expert Troy Hunt reveals.

For years, Hunt, who is a Microsoft Regional Director, has been maintaining Have I Been Pwned, a data breach search website that allows users to check whether their email addresses and passwords have been compromised in publicly known data breaches.

Today, he added information from yet another massive data breach to the website, which included a total of 2,692,818,238 rows, representing email addresses and passwords.

Named “Collection #1,” the database is made up of many different individual data breaches from thousands of different sources. The researcher identified a total of 1,160,253,228 unique combinations of email addresses and passwords in the dataset.

Because the data wasn’t properly formatted, however, much of the information was dismissed, yet a total of 772,904,991 unique email addresses were identified. The dataset also revealed 21,222,975 unique passwords (after clean-up).

“This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). […] This number makes it the single largest breach ever to be loaded into HIBP,” Hunt says.

The leaked information appeared on the popular cloud service MEGA and included over 12,000 separate files and more than 87GB of data. It was also being offered on a popular hacking forum, where it was referred to as “a collection of 2000+ dehashed databases and Combos stored by topic” and said to contain 2,890 files.

Hunt warns that, although he did recognize many legitimate breaches in the list, he did not verify the origin of the data, noting that some of the services claimed to have been compromised might have not been involved in a data breach at all.

Advertisement. Scroll to continue reading.

“However, what I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” he notes.

“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again,” Hunt also notes.

Some of the passwords were stored as cryptographic hashes, but the data also contained passwords that have been cracked and converted back to plain text.

Anyone interested in learning if they might have been impacted can head over to HIBP and check whether their email address has appeared in a data breach. The website also includes a free notification service that informs users when their email address appears in a breach. According to Hunt, of the 2.2 million people subscribed to the service, 768,000 are in the new breach.

“Massive data breaches like Collection #1 create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. While this is often framed as a problem for the individuals who own the passwords, any online business that has a user login web page is at risk of becoming the next breach headline,” Distil Co-founder Rami Essaid told SecurityWeek in an emailed comment.

“While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur,” Essaid continued.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Compromised Credentials – The Primary Point of Attack for Data Breaches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...