773 Million Records Amassed in Massive Data Breach Collection

A newly discovered set of compromised login details contains roughly 773 million email addresses, Australian web security expert Troy Hunt reveals.

For years, Hunt, who is a Microsoft Regional Director, has been maintaining Have I Been Pwned, a data breach search website that allows users to check whether their email addresses and passwords have been compromised in publicly known data breaches.

Today, he added information from yet another massive data breach to the website, which included a total of 2,692,818,238 rows, representing email addresses and passwords.

Named “Collection #1,” the database is made up of many different individual data breaches from thousands of different sources. The researcher identified a total of 1,160,253,228 unique combinations of email addresses and passwords in the dataset.

Because the data wasn’t properly formatted, however, much of the information was dismissed, yet a total of 772,904,991 unique email addresses were identified. The dataset also revealed 21,222,975 unique passwords (after clean-up).

“This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). […] This number makes it the single largest breach ever to be loaded into HIBP,” Hunt says.

The leaked information appeared on the popular cloud service MEGA and included over 12,000 separate files and more than 87GB of data. It was also being offered on a popular hacking forum, where it was referred to as “a collection of 2000+ dehashed databases and Combos stored by topic” and said to contain 2,890 files.

Hunt warns that, although he did recognize many legitimate breaches in the list, he did not verify the origin of the data, noting that some of the services claimed to have been compromised might have not been involved in a data breach at all.

“However, what I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” he notes.

“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again,” Hunt also notes.

Some of the passwords were stored as cryptographic hashes, but the data also contained passwords that have been cracked and converted back to plain text.

Anyone interested in learning if they might have been impacted can head over to HIBP and check whether their email address has appeared in a data breach. The website also includes a free notification service that informs users when their email address appears in a breach. According to Hunt, of the 2.2 million people subscribed to the service, 768,000 are in the new breach.

“Massive data breaches like Collection #1 create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. While this is often framed as a problem for the individuals who own the passwords, any online business that has a user login web page is at risk of becoming the next breach headline,” Distil Co-founder Rami Essaid told SecurityWeek in an emailed comment.

“While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur,” Essaid continued.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Compromised Credentials – The Primary Point of Attack for Data Breaches