Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

773 Million Records Amassed in Massive Data Breach Collection

A newly discovered set of compromised login details contains roughly 773 million email addresses, Australian web security expert Troy Hunt reveals.

A newly discovered set of compromised login details contains roughly 773 million email addresses, Australian web security expert Troy Hunt reveals.

For years, Hunt, who is a Microsoft Regional Director, has been maintaining Have I Been Pwned, a data breach search website that allows users to check whether their email addresses and passwords have been compromised in publicly known data breaches.

Today, he added information from yet another massive data breach to the website, which included a total of 2,692,818,238 rows, representing email addresses and passwords.

Named “Collection #1,” the database is made up of many different individual data breaches from thousands of different sources. The researcher identified a total of 1,160,253,228 unique combinations of email addresses and passwords in the dataset.

Because the data wasn’t properly formatted, however, much of the information was dismissed, yet a total of 772,904,991 unique email addresses were identified. The dataset also revealed 21,222,975 unique passwords (after clean-up).

“This is the headline you’re seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). […] This number makes it the single largest breach ever to be loaded into HIBP,” Hunt says.

The leaked information appeared on the popular cloud service MEGA and included over 12,000 separate files and more than 87GB of data. It was also being offered on a popular hacking forum, where it was referred to as “a collection of 2000+ dehashed databases and Combos stored by topic” and said to contain 2,890 files.

Hunt warns that, although he did recognize many legitimate breaches in the list, he did not verify the origin of the data, noting that some of the services claimed to have been compromised might have not been involved in a data breach at all.

“However, what I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” he notes.

“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again,” Hunt also notes.

Some of the passwords were stored as cryptographic hashes, but the data also contained passwords that have been cracked and converted back to plain text.

Anyone interested in learning if they might have been impacted can head over to HIBP and check whether their email address has appeared in a data breach. The website also includes a free notification service that informs users when their email address appears in a breach. According to Hunt, of the 2.2 million people subscribed to the service, 768,000 are in the new breach.

“Massive data breaches like Collection #1 create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. While this is often framed as a problem for the individuals who own the passwords, any online business that has a user login web page is at risk of becoming the next breach headline,” Distil Co-founder Rami Essaid told SecurityWeek in an emailed comment.

“While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur,” Essaid continued.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Compromised Credentials – The Primary Point of Attack for Data Breaches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...